A variant of the PlugX RAT (remote access tool) has been discovered to use a Dropbox account to update the settings for the command and control server.

Researchers at Trend Micro found that the new variant of the malware targets a government agency in Taiwan and that it contains some modifications compared to previous known versions.

The investigation revealed that the fresh sample comes with a changed header, most likely in order to prevent forensic analysis. It also has an authentication code from the attacker.

One particularity of the newly found Trojan is that it comes with a trigger date to start its activity. One reason for this could be to avoid being detected by the user immediately after the system has been infected.

According to Trend Micro, there are five command and control servers (C&C) the malware can contact. Further investigation revealed that one of them is related to Krypt Technologies, while another appears to be owned by a certain Zhou Pizhong.

In the case of another address, the registration details were protected and no information could be found.

By checking with Dropbox to update the settings for the command and control server, the intruders made sure that malicious network traffic was not easily detected, since the domain was a legitimate one.

The security company says that after the communication with the remote server has been established, “threat actors then move laterally into the network with the aid of malicious and legitimate tools to avoid being traced and detected.”

The capabilities of the malware include key-logging, port mapping and remote shell command execution.

They appeal to utilities for password recovery or remote administration, as well as network tools and Htran, which is designed to cloak the IP address of the attacker by bouncing the TCP traffic to different countries.

This is a technique that ensures persistence in the network, since tracing the source of the IP is not an easy task and takes some time to complete.

The use of legitimate cloud storage services is not a new practice for cybercriminals, but Trend Micro says that this is the first case they’ve seen in which such service was employed for updating the settings for the C&C server.

Normally, the abuse would occur by using the platform which stores the malware to be delivered to the targeted victim.

The company also says that the common ground in the PlugX RAT variants allows mitigation of the risks regarding sensitive information. “The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be incorporated in their security solutions, thus, breaking the attack cycle and possible data exfiltration from the target enterprise or large organization,” writes Maersk Menrige in Trend Micro's blog post.
Kepler Reviewed by Kepler on . Dropbox Used by Trojan to Update Command and Control Settings http://i1-news.softpedia-static.com/images/news-700/Dropbox-Used-by-Trojan-to-Update-Command-and-Control-Settings.jpg A variant of the PlugX RAT (remote access tool) has been discovered to use a Dropbox account to update the settings for the command and control server. Researchers at Trend Micro found that the new variant of the malware targets a government agency in Taiwan and that it contains some modifications compared to previous known versions. The investigation Rating: 5