Chinese Cybercriminal Gang Use Dropbox To Target Media Companies

An APT (Advanced Persistent Threat) gang originating from China that are allegedly responsible for attacks targeting foreign governments and ministries are now focusing their efforts at several Hong Kong-based media companies while using Dropbox, according to an independent security firm.

Security researchers at FireEye have deduced that a China-based threat group use Dropbox for communicating malware while targeting several Hong Kong media outlets. The security firm revealed in a blog post that the group targeting media outlets is referred to as “admin@338”. Researchers are aware that the group uses publicly available Trojans to attack government and financial firms that focus and specialize in global economic policies. An example of a Trojan would be the commonly known Poison Ivy, a remote access Trojan (RAT). The group is also known to use some non-public backdoors.

In the latest instance of an attack originating from admin@338, FireEye researchers note that this is the first instance where the group used phishing lures authored in Chinese against targets. Up to three attachments were seen in each phishing email. Every email contained exploits for a now-patched Microsoft Office vulnerability.

A Sync with Dropbox

When executed, the exploit triggers a backdoor called Lowball which finds starts to connect to an external location. As it turns out, Lowball syncs with an actual Dropbox account controlled by the remote attackers.

Altogether, this stage of the attack runs numerous commands on the targeted computer and then sends the output log to the Dropbox account, according to principal threat analyst and researcher at FireEye Nart Villeneuve.

The malicious attackers then locate the information from the Dropbox account to analyze their loot. If the target is deemed worthy of their time and effort, a second backdoor called Bubblewrap is initiated. Bubblewrap is akin to a legacy backdoor, traditional in the way it is used for remote access the breach of data.

Speaking to ThreatPost, Villeneuve said:

These attackers are using Dropbox because it provides them with a way to disguise their activities. Anyone looking at the traffic would see only encrypted connections going to Dropbox rather than traffic associated with known malware.

The known targets of the attacks via phishing emails include several Hong Kong-based television and radio stations, journalists and newspapers.