Hackers in China launched a spear phishing campaign in August that targeted media outfits in Hong Kong, according to security research firm FireEye. The hackers used e-mail messages carrying malicious files with a malware payload called Lowball.
Lowball effectively abuses Dropbox’s cloud storage service for command and control (CnC) purposes, meaning it can take command and control over the victim’s PC. FireEye worked with Dropbox to investigate the incident, revealing what appeared to be a second operation that functions in much the same way.
Ultimately, FireEye said this attack was part of a trend of malicious groups hiding their deeds by connecting to legitimate Web services, including cloud storage and social networking sites.
Dialing Into Dropbox
Here’s the backstory: Hackers sent spear phishing e-mails to several Hong Kong-based newspaper, radio and television stations in August. The first e-mail contained a message about creating a Christian civil society group in conjunction with the anniversary of the 2014 “Umbrella Movement” protests, a series of mass sit-in street protests that occurred in Hong Kong from September 26 to December 15, 2014. The protests were against proposed reforms to the Hong Kong electoral system
The second e-mail the hackers sent contained a message about a Hong Kong University alumni group concerned about a referendum vote to appoint a pro-Beijing vice chancellor.
“This backdoor, known as Lowball, uses the legitimate Dropbox cloud-storage service to act as the CnC server,” FireEye wrote in a blog. “It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.”
Ultimately, the hacker group checks on its Dropbox account to see if there are any responses from victims' machines. When the Lowball malware calls back to the Dropbox account, the attackers create a file that carries commands that can be executed on a hacked computer. Next, the malware is executed on the machine and gives hackers information about the computer’s network so the hackers can download more software onto the machine.
Not Targeting Dropbox
We turned to Craig Young, a cybersecurity researcher for advanced threat detection firm Tripwire, to get his take on the malware. He told us this is not a threat toward Dropbox users, but the attackers are relying on Dropbox to help stay under the radar.
“Many security departments would recognize command and control traffic because the communication is to unexpected places on the Internet but since Dropbox is so prevalent and communication is encrypted, it is impossible to distinguish the sessions from real Dropbox usage,” Young said.
The concept behind this attack is not new, Young said. In fact, Tripwire is aware of various other malware campaigns leveraging cloud services including one that uses the attacker's Gmail account as a private channel for controlling infected systems, he added.
“Proper vulnerability management and endpoint security controls along with user education on phishing are the best techniques to protect against this campaign,” Young said. “The fact that the attackers are successfully using a vulnerability from 2012 is a testament to the fact that the victims are not using up-to-date software.”