Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.
Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.
In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.
When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.
This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.
Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.
Tools of the Trade: Going Deeper into the Network
Based on our findings, the related C&C servers for this attack are:
We dug information on 98[.]126[.]24[.]12 and found out that it seems to be related to Krypt Technologies/Krypt Keeper, while 173[.]208[.]206[.]172 is connected to a wholesale Internet supposedly owned by a certain Zhou Pizhong. Upon checking the whois detail of imm.heritageblog.org, the main domain heritageblog.org is registered to Whois Privacy Protection Service, Inc. Its purpose is to hide the registration information of the domain.
Similar to Dropbox, threat actors also lure users into thinking that the domain, firefox-sync.com is legitimate and normal by implying that it is “FireFox Sync.” In addition, this main domain (firefox-sync) is registered to a Gmail address. PassiveDNS data show that firefox-sync.com has a record of mapping to IP 0.0.0.0. “IP 0.0.0.0” is an especially reserved address normally assigned for unknown non-applicable target in a local network. The attackers may be using it as a parked domain until such time that they need to make it active.
Once the C&C communications are established, threat actors then move laterally into the network with the aid of malicious and legitimate tools to avoid being traced and detected. For this attack, some of the tools we spotted are:
- Password recovery tools
- Remote admin tools
- Networking utility tools
- Port scanners
- Htran tool
Password recovery tools are those that extract stored passwords in apps and OS found in registry and local drives. Through the technique called ‘pass the hash’, threat actors can get administrator rights or higher level access to certain parts of the network where confidential data or the company’s ‘crown jewels’ can be found.
Htran tool hides the attacker’s source IP by bouncing TCP traffic in connections in different countries. This is done so that IT administrators cannot easily trace the source IP of threat actors, thus, gaining persistence in the network.
Why Threat Intelligence is important
In 2012, we have reported about PlugX, a customized RAT used by several targeted attack campaigns as early as 2008. In our findings, we mentioned that a particular variant of PlugX hit South Korean company and a US engineering firm.
For more information on the various security incidents related to PlugX, the following entries will be helpful:
Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be incorporated in their security solutions, thus, breaking the attack cycle and possible data exfiltration from the target enterprise or large organization.
Trend Micro protects users and enterprises from this targeted attack via its Trend Micro Deep Discovery that identifies malicious content, communications, and behavior across every stage of the attack sequence.
Note that we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting.
With analysis and additional insights from Rhena Inocencio and Marco Dela Vega
Update as of 4:27 PM, June 30, 2014
Dropbox has removed the files associated with this attack.