Phishing blast uses Dropbox to target Hong Kong journalists

Campaign uses a legitimate Dropbox account as C2

Researchers at FireEye have disclosed an ongoing Phishing campaign that's using Dropbox as a delivery platform.

The campaign is ran by a group that researchers have named "admin@338" and it's targeting media organizations in Hong Kong that publish pro-democracy materials.

The attacks are using basic emails trapped with documents that deliver a malware payload called LowBall – which abuses Dropbox storage services as a command and control (C2) hub.

In a blog post, FireEye says that the campaign started in August.

Hong Kong-based news organizations, including those in radio, television, and print media, were sent phishing emails referencing the creation of a Christian civil society organization that coincided with the anniversary of the 2014 protests in Hong Kong (Umbrella Movement).

A second email campaign referenced a Hong Kong University alumni organization that is concerned about votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.

"The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China," FireEye's post explains.

"The threat group’s latest activity coincided with the announcement of criminal charges against democracy activists. During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader."

In the past, "admin@338" has used other newsworthy events as a means to deliver malware, but they've targeted financial, economic, and trade policy organizations.

This most recent campaign uses attachments that exploit older vulnerabilities in Microsoft Office, which if successful will deliver the same payload, a family of malware that FireEye has dubbed LowBall.

LowBall is a basic backdoor that uses a legitimate Dropbox storage account to act as a C2. The malware uses the Dropbox API with a hardcoded bearer access token and can upload, download, and execute files. All communication between the infected host and the C2 is done via HTTPS on port 443.

Once an infected host calls out to the Dropbox account, the group will deliver a BAT file that collects information about the computer. If there's interest, the attackers will then deliver a second payload (Bubblewrap), which is a full featured backdoor that's set to run when the system boots.

FireEye worked with Dropbox to stop the campaign, but their efforts uncovered a second, likely related, attack.

"Our cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware.

"In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims."

The overall point of FireEye's report is awareness, but the key lesson is that criminals are quite happy to abuse legitimate services as a means to avoid detection skirt defenses.

Copyright © 2015 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022