Chinese Group ‘Admin338’ Use DropBox To Deliver Their Payload

FireEye Threat Intelligence analysts have discovered a new phishing attack carried by a Chinese group using legitimate service like dropbox.

Analysts found the cyber group (which is unnamed at the moment but some researchers term them as “admin@338”) sending emails with links to dropbox containing documents. The documents in reality were having payload malware known as LOWBALL. LOWBALL uses dropbox as command and control.

When the researchers reach out to dropbox, they said this is the 2nd time this year hackers have used their service for spreading malware.

These malware threats are part of a new trend of malware where hackers are using cloud services such as dropbox or social networking sites to spread malware.

China was also blamed for spying on pro-democracy protesters in Hong Kong with an Android spyware disguised as an ‪‎OccupyCentral‬ app to keep an eye on the protesters.

FireEye in August 2015 caught Chinese hackers spying on Tibetan activists and as well as dozens of organizations in Bangladesh, Nepal, and Pakistan.

This Chinese group in past has used newsworthy events for delivering malware. Their focus was largely targeted organizations (mostly financial, economic or trade policy relevant). They mostly used publicly available RATs like Poison Ivy and some non-public backdoors.

For hackers, their main targets are Hong Kong’s media organizations who publish contents relevant to pro-democracy. What they use for their target is a well-crafted document in the Chinese language which once downloaded can give access to Chinese government access to updates on upcoming protests, information relevant to pro-democracy groups leaders and insight on how internet activity was disrupted in 2014 where several websites faced DDoS attacks.

In August 2015, hackers first time attacked the media organizations from Hong Kong in which they send two emails, first one with reference to the creation of a Christian civil organization alongside the first anniversary of 2014 Hong Kong protests known as Umbrella movement. The second one references a Hong Kong University alumni organization which fears vote in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Bejing interests.

What was interesting about these emails is that they were written in traditional Chinese which is read in Hong Kong, hacker’s previous scamming email were in English to disguise Western audiences so it looks this group is planning very well and try level best to trick victims into believing these at genuine emails.

The email from hackers had three attachments and had attached documents which were compromised by the hackers from an older Microsoft Office vulnerability.

FireEye’s researchers on this malware are admirable as it allowed Dropbox to work on the removal of the malware from their service. Though, they were not able to identify exactly which cyber group was behind this malware but the previous attacks carried out by admin@338 indicate they might be the one to blame.

Dropbox is a good source for cybercriminals to conduct their operations. In the past, Kathleen Calligan, the CEO of the BBB had her email account hacked with an email she thought came from Dropbox.


Related Posts