Chinese APT Group Uses Dropbox to Target Hong Kong Media

Written by

A China-based APT group has been spotted conducting a targeted attack campaign designed to monitor various Hong Kong media organizations, using Dropbox for its command and control infrastructure.

FireEye explained in a blog post that the spear phishing campaign was launched in August 2015, using newsworthy events written in Cantonese as lures to deliver “publicly available RATs such as Poison Ivy, as well some non-public backdoors.”

“The media organizations targeted with the threat group’s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor,” the firm explained.

“Cyber threat groups’ access to the media organization’s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.”

The spear phishing emails in question contained three attachments exploiting a known vulnerability in Microsoft Office (CVE-2012-0158).

A backdoor known as Lowball was used, which in turn uses Dropbox to act as a C&C server.

“It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files,” FireEye explained. “The communication occurs via HTTPS over port 443.”

The group monitor the Dropbox account in question and when it begins to receive responses from compromised machines, they create a file containing commands to be executed on the compromised computer.

“These commands allow the threat group to gain information about the compromised computer and the network to which it belongs,” said FireEye. “Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.”

This could include second stage backdoor malware known as Bubblewrap.

Although FireEye worked with Dropbox to shut down this particular campaign, a second ongoing operation was spotted potentially targeting as many as 50—as yet unidentified—victims.

Photo © NIRUT RUPKHAM

What’s hot on Infosecurity Magazine?