A remote access tool (RAT) is using Dropbox to use the command and control settings in a targeted attack against the Taiwanese government, claims Trend Micro threat analyst Maersk Menrige.
The targeted attacks have earlier used Dropbox to host malware, but this is the first time that Dropbox is being used to update command and control settings.
"The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents," explained Trend Micro threat analyst Maersk Menrige in a blog post.
"We also found out that this malware has a trigger date of May 5, 2014, which means that it started running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems," Menrige added.
The latest version, spotted by Trend Micro, is a type II PlugX variant as it has new features — the earlier verison featured MZ/PE header, but the latest one has "XV" header.
This new variant abuses certain AV products and features an anti-forensic technique.
However, it has one common feature of PlugX with regard to the preloading technique – normal applications load malicious DLL, which in turn loads the encrypted component that includes the main routines.
Digging deeper into the attack, the security researchers found that threat actors used malicious as well as legitimate tools to steal data and avoid being detected.
Some of the tools spotted were password recovery tools, remote admin tools, port scanners, network utility tools, and Htran tools, which hides attacker’s source IP by bouncing TCP traffic in connections in several nations.
Discovered in 2012, the PlugX RAT could have been used in attack campaigns since 2008, claims Trend Micro.
