nobeastsofierce - Fotolia

Chinese APT group abused Dropbox to spread LOWBALL malware

FireEye researchers discovered an advanced persistent threat group that used Dropbox to launch a spear phishing campaign against Hong Kong media companies.

FireEye Inc. this week announced its threat intelligence analysts recently discovered a sophisticated spear phishing campaign that used cloud storage service Dropbox as its base of operations.

According to the FireEye report, the spear phishing campaign targeted Hong Kong media companies in August to spread a malware payload known as "LOWBALL" and used Dropbox for command and control infrastructure. FireEye researchers wrote that the LOWBALL malware uses the Dropbox API with "a hardcoded bearer access token" that allows it to upload, download and execute files.

Once LOWBALL infects a system and calls back to the Dropbox account, a batch file is uploaded to the system that collects information about the system, its user, and its network access to determine if that particular system if worth exploiting further. A second type of malware called BUBBLEWRAP, which the report describes as "a full-featured backdoor," can then be delivered to give the APT group access to the system as soon as it boots.

FireEye researchers said the spear phishing campaign is the latest example of threat actors abusing free cloud services to execute their hacks. "The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services, such as social networking and cloud storage sites, to foil detection efforts," the report read. "LOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders."

The FireEye report also claimed that a China-based advanced persistent threat group, known to other security researchers as "[email protected]," was likely behind the campaign, which has launched similar attacks against Hong Kong media companies.

FireEye said it worked with Dropbox to investigate and remediate the phishing campaign, and that during that effort they discovered a second, similar campaign on the cloud storage service. FireEye researchers said that they couldn't determine yet if the [email protected] APT group was behind the second campaign, or who the intended targets were. But the report did state that the Dropbox security team was able to stop the campaign by putting countermeasures in place, though neither FireEye nor Dropbox have specified what those countermeasures are.

There are a few benefits to attackers, and the first one is that they don't have to pay for the infrastructure.
Craig Youngsecurity researcher, Tripwire Inc.

Craig Young, security researcher at Tripwire Inc., a security software vendor based in Portland, Ore., said abusing legitimate cloud services like Dropbox give APT groups several advantages. "There are a few benefits to attackers, and the first one is that they don't have to pay for the infrastructure," he said. "The second one is that using cloud services helps them hide from security teams. If you're seeing a lot of traffic going to and from Dropbox, that's not going to raise a lot of flags."

The abuse of cloud services puts both enterprises and cloud providers in a sticky situation, Young said. "Enterprises can put in place a strict policy that limits the use of cloud to only a small number of approved cloud services, but the problem with that technique is that it limits employee productivity," he said. "And if you're going to ban Dropbox and Google Drive and other cloud services and only approve Box, for example, then the attackers are just going to move to that service."

As for the cloud providers themselves, Young said there are some approaches they can take to prevent threat actors from abusing their services, such as monitoring for automated traffic to their APIs. But there may be legitimate purposes for such traffic, he said, so cloud providers need to be careful about how they monitor, assess and block such traffic.

Young said he expects to see more attacks like the Hong Kong spear phishing campaign that abuse cloud services. "Right now, this approach works for attackers," he said. "There's no incentive to not use cloud services, and nothing preventing the attackers from using them, so there is really no reason for them to stop."

Next Steps

Learn about how the Darkhotel APT group used the Hacking Team Flash zero-day in its attacks.

Read more about the hacker groups shifting to corporate cyberespionage schemes.

Find out how an industrial espionage group hacked Apple, Facebook, Microsoft.

Dig Deeper on Public Cloud Computing Security