Pierluigi Paganini
December 01, 2015
Experts at FireEye have discovered an ongoing phishing campaign using a Dropbox account linked to “admin@338” as the delivery platform.
The account ” admin@338 ” was also used in the past to deliver malware, but at the time the main target were financial, economic, and trade policy organizations. In March 2014, FireEye discovered that the group of Chinese-based hackers called “admin@338” had sent multiple MH370-themed spear phishing emails, the attackers targeted government officials in Asia-Pacific, it is likely for cyber espionage purpose.
The hacking campaign is targeting Hong Kong media organizations, which publish democratic articles. The crooks are using a simple email attach with documents as threat vector, that when victims open the attachments a malicious payload is delivered. The malware is LowBall and uses dropbox as Command and Control infrastructure.
The malicious code exploits an old Microsoft Office vulnerabilities (CVE-2012-0158), known as LowBall.
Lowball “uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443”
If the victim calls the dropbox account, a BAT file will be downloaded, and will run the BAT to collect information about the victim’s computer. If the attacker thinks that the PC has relevant information, a second payload known as Bubblewrap will be delivered.
By the details provided by FireEye, the phishing campaign started in August targeting all types of media in Hong Kong, radio, television, and print media, and it’s using 2 different type of emails as explained in the report:
“The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement.”
“The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.”
Experts speculate the cybercriminals started targeting Hong Kong media sector in response the economic problems between Hong Kong and China.
“The threat group’s latest activity coincided with the announcement of criminal charges against democracy activists. During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.”
FireEye uncovered the campaign in joint effort with Dropbox, but the experts of the firm end up finding out a second campaign.
“Our cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware.” states FireEye
“In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.”
In the end, this is another campaign in the middle of many, which use similar strategies but it is relevant as example to make people aware of these type of campaigns.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Phishing campaign, Dropbox)
