Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.
Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.
In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.
When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.
This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.
Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.