PlugX RAT Armed With Time Bomb Leverages Dropbox In Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


PlugX RAT Armed With Time Bomb Leverages Dropbox In Attack


Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.



Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.
The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.
The attackers are using variants of the PlugX remote administration tool (RAT).
In a blog post
, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.
This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users wont immediately suspect any malicious activities on their systems.
Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of XV header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads XV header and the binary wont run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.
Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attackers source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.
This is the first time weve seen this, but criminals are smart and copy proven tactics, Christopher Budd, global threat communications manager at Trend Micro, told us. Just like weve seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
PlugX RAT Armed With Time Bomb Leverages Dropbox In Attack