The security firm, Trend Micro has reported a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service. PlugX Remote Access Tool (RAT) is a remote access Trojan which is also called Korplug with some older variants which are also known as Sogu, Thoper, TVT, or Destory RAT. PlugX is a very popular remote access tool for hackers and cyber criminals because it is very cheap and the owner’s remote command & control server can be hidden because the large diffusion of the malicious agent. Also the PlugX software design allows for plugins or APIs to be updated independently and in a backward-compatible way, without interrupting the execution of the malware or requiring it to be reinstalled.
Researchers from Trend Micro were analyzing a targeted attack that hit a government agency in Taiwan which took place last May. In the said attack, the cyber criminals used PlugX RAT that abused Dropbox to download and further update its C&C settings to allow them to remotely target the Taiwanese entity and gain control of some machines. Security experts noted that the Dropbox abuse has earlier been used to host the malware by cyber criminals but never for updating C & C settings. However in this case, Trend Micro discovered that the cyber criminals used the Dropbox to update its C&C settings, which according to Trend Micro is an alarming sign.
The benefit of using Dropbox is two fold for the cyber criminals. Dropbox is often used by the staff and therefore systems security specialists deployed by the company may not flag communications between the PlugX RAT and DropBox folders as an indicator on compromise. The other benefit Dropbox abuse allows attackers to masquerade the malicious traffic and making hard the detection by law enforcement and security firms.
Trend Micro has identified two variants of PlugX namely BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A. These two variants have all the classic features available in any other RAT. Of the above two types of PlugX variants, the second one (TROJ_PLUGX.ZTBF-A,) is a relatively new one and is considered as a new version. This version is a more sophisticated version of PlugX variants studied so far. It incorporates anti-forensic techniques, an authentication mechanism of the attacker, a different encryption algorithm, extended configuration, and more protocols and functions. Thus it gives a complete anonymity to the cyber criminal through its complex diffusion methods.
Trend Micro said that in the Taiwanese entity hack case, the attackers have used a particular PlugX RAT variant which includes a a triggering mechanism based on the system date which would make it much hard to detect.
“This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.” continues Trend Micro.
Trend Micro stated that it had notified Dropbox of the above said targeted attack but there is little Dropbox can do. The fact and the matter is that there is no vulnerability in Dropbox but, the cyber criminals are just using the file sharing part of drop box to update their C & C servers.
You can read all above PlugX RAT here.