The advantage of this approach is that attackers can easily and rapidly establish a command and control infrastructure that effectively hides itself in plain sight. Taking this route, explains Cyber Squared in a new analysis, "the attackers did not have to compromise the 'easy to mitigate' midpoint infrastructure that has been previously seen in traditional targeted attacks; such as SMTP relay servers or web servers."
This attack starts with Dropbox. A disguised malicious file is uploaded to a Dropbox account. Targets then receive an email via the legitimate Dropbox file sharing notification feature. In the example given by Cyber Squared, the file in question appeared to be an ASEAN policy document – a zip file containing a Word document with an embedded malicious binary.
The binary moves on to phase two of the attack – communication with a Wordpress blog. "It would then read attacker staged content from within the blog posting to obtain a secondary domain, IP address and port number of a second stage C2 host," reports Cyber Squared. Again, since it is a legitimate WordPress blog, it doesn't have to be compromised in the traditional sense, and the commands can be quite visible. In one example given by the authors an IP address is simply inserted into a line of ampersands which act as the delimiter in an apparently innocent-looking blog posting.
The advantage for the attackers is that most security defenses aren't designed to mitigate against trusted web services like Dropbox and Wordpress. "Few enterprise net defense teams are adequately resourced or enabled to detect targeted attacks and subsequent C2 web sessions that use trusted SPI chaining techniques," explains Cyber Squared.
Robert Kraus, director of research at Solutionary SERT, is not surprised by Cyber Squared's discovery. "Cloud infrastructure has been used to host malware content used in conjunction with droppers and downloader components for malware for some time. Identification of the use of WordPress and Dropbox should not surprise anyone."
But, he adds, "The real story here is, now that we know this information, what will Dropbox and WordPress do to help mitigate the risk? They must have a process for taking down or disabling accounts if they are identified as malware/APT C&C hosts.”