Trend Micro Discovers New Variant of PlugX RAT Leveraging Dropbox

Security researchers of security firm Trend Micro analyzed a targeted attack against a government agency in Taiwan and found a variant of the infamous PlugX remote access tool (RAT) which abuses the popular file hosting service Dropbox.

According to the security firm, the RAT downloads its command and control (C&C) settings from Dropbox to avoid raising any suspicion by concealing malicious traffic. Security systems might not flag communications with the website as a potential threat because Dropbox is often used by organizations to store files for legitimate purposes.

The security company notified Dropbox about the incident but experts emphasize that the attackers are not exploiting any vulnerabilities in the service. Securityweek.com published news on 27th June, 2014 stating that although it is common for cybercriminals to abuse legitimate file sharing services, this is the first time that Dropbox has been used to store C&C settings as part of a targeted attack.

Trend Micro analyzed the samples and identified them as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.

When execution of BKDR_PLUGX.ZTBF-A takes place, it performs numerous commands from a remote user, including keystroke logging, port mapping, and remote shelling together with many others. Generally remote shell empowers cybercriminals to run any command on the tainted system to compromise its security.

This backdoor also connects to a certain URL for its C&C settings.

Trend Micro also observed that this malware has a trigger date of May 5, 2014, meaning that it got activated on that date. Perhaps, this has been done to shun users from suspecting any malevolent activities on their PCs, immediately.

Therefore, this is a type II PlugX variant with new features and modifications from its version 1.

The company also says that the common ground in the PlugX RAT variants reduces the risks regarding sensitive information. Softpedia.com published news on 27th June, 2014 quoting a write-up of Maersk Menrige, Threat Analyst of Trend Micro as: "The information available publicly on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be included in their security solutions to break the attack cycle and exfiltrate possible data from the target enterprise or large organization.

» SPAMfighter News - 7/8/2014