PlugX RAT Attack Exploited Dropbox

Hackers have used Dropbox yet again to plant malware. The hackers are applying remote access tools or Trojans (RATs) to exploit network vulnerabilities.

9 July 2014


Hackers have used Dropbox yet again to plant malware and launch cyber-attacks.

In this instance, the hackers are applying remote access tools or Trojans (RATs) to exploit network vulnerabilities. These enable the deployment of command-and-control (C&C) communications, says a recent blog on the website of Trend Micro, an online security solutions provider. The RAT applications appear frequently in targeted attacks against specific companies or organizations, the blog explains.

Command and control tools allow hackers to interact with compromised systems in a company’s network. Then hackers create a virtual channel into an enterprise — opening backdoors and stealing data, among other illicit activities. One of these custom RATs is called PlugX, which has been around since 2008; hackers have deployed it against both a South Korean and a U.S.-based firm.

PlugX Attacks on the Enterprise

In May, Trend Micro discovered that a Taiwanese government agency was the target of a PlugX RAT assault. The attackers relied on Dropbox to download the C&C settings. Given it’s a popular service for file storage and sharing, Dropbox helps mask the “malicious traffic” in the network.

Once the virtual C&C bridge is in place, the hackers begin probing for weaknesses. To burrow deeper into the enterprise, the hackers use:

  • Password recovery tools
  • Remote administrative tools
  • Networking utility tools
  • Port scanners
  • The Htran tool (this hides the attackers' location)

With these implements, hackers can keep digging inside a network, stealing passwords, and eventually pilfering the most precious data assets.

Gaps in Network Security

This isn’t the first time hackers have used Dropbox as a platform for an attack, the blog notes. However, uniquely, in this instance, the hackers used Dropbox to update the settings for the embedded C&C tools. The attackers also planted malware time bombs, setting them to activate on a specific date.

Trend Micro reported that Dropbox has removed the files connected to this attack. But we should expect consumer file sync and share applications will continue to be a fruitful target for hackers. In June, we discussed how some perpetrators used Dropbox to dump malware on perhaps half a million systems.

Harden the Network

Trend Micro offers an analysis of the “lateral attacks” hackers use to gradually infiltrate a network. It suggests ways to fend them off. One proactive method for IT managers to protect themselves requires mapping the network, monitoring its traffic, and gathering performance baseline data. This will allow for later comparison to see if the network has been breached.

Another defense move is to warn employees about the dangers of phishing, or to ban the use consumer-grade file sharing systems outright. In fact, Harris Interactive, Gigaom and Intralinks published research about the security threats consumer file sync and share apps can pose to the enterprise.

Want to read more? Then please look here.

Marc Songini

Marc Songini

Marc Songini has worked in the information technology field for more than 16 years. His roles have included those of journalist, analyst, and marketing communications specialist. He admits that when he started out as a cub high tech reporter, Netscape was still rocking the industry with a wondrous new user interface called a “browser.” During his 10 years with International Data Group (IDG), Marc wrote for NetworkWorld and Computerworld, both award-winning magazines. Marc specializes in cloud, enterprise apps, and figuring out the meaning of being human in an automated world.