Chinese Cybercriminal gang uses Dropbox to Target Media outlets

A Chinese Advanced Persistent Threat (APT) gang which had been allegedly responsible for attacks against foreign governments and ministries has shifted its focus on Hong Kong based media companies by using Dropbox for communicating malware.

The group identified as ‘admin@338’ has been active since 2008 and uses publicly available Trojans like ‘Poison Ivy’ to attack organizations in the financial services, telecoms, government, and defense sectors.

The group is also known to use some non-public backdoors.

But this is the first instance where the group has used phishing lures in Chinese against targets. Each phishing email containing of three attachments included exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.

On execution, the exploit triggers a backdoor dubbed ‘Lowball’ which connects to an external location on finding it. After this, Lowball syncs with the legitimate Dropbox account which is controlled by the remote attackers.

In the first stage, the attack runs many commands on the infected computer and sends the output to the Dropbox account for C&C communications. The attackers then retrieve the information analyse it and if the target is worthy, a second stage backdoor is delivered called ‘Bubblewrap’ which is used for remote control and stealing data.

This research was found out by network security company, FireEye.

This group was also suspected of launching phishing campaign in August against media organizations in Hong Kong. Last year in March, this group had leveraged the disappearance of Malaysia Airlines Flight, MH370 to target a government in the Asia-Pacific region and a US-based think tank.

This isn’t the first time China has targeted media outlets seeking out sources to stay ahead in news cycle.

In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group broke into the email accounts of investigative journalists for seeking information on the corruption scandal which involved then-Chinese premier, Wen Jiabao.