Chinese Hackers Used Dropbox To Attack Hong Kong Media

Hackers in China launched a spear phishing campaign in August that targeted media outfits in Hong Kong, according to security research firm FireEye. The hackers used e-mail messages carrying malicious files with a malware payload called Lowball.

Lowball effectively abuses Dropbox?EU?s cloud storage service for command and control (CnC) purposes, meaning it can take command and control over the victim?EU?s PC. FireEye worked with Dropbox to investigate the incident, revealing what appeared to be a second operation that functions in much the same way.

Ultimately, FireEye said this attack was part of a trend of malicious groups hiding their deeds by connecting to legitimate Web services, including cloud storage and social networking sites.

Dialing Into Dropbox

Here?EU?s the backstory: Hackers sent spear phishing e-mails to several Hong Kong-based newspaper, radio and television stations in August. The first e-mail contained a message about creating a Christian civil society group in conjunction with the anniversary of the 2014 ?EU?Umbrella Movement?EU? protests, a series of mass sit-in street protests that occurred in Hong Kong from September 26 to December 15, 2014. The protests were against proposed reforms to the Hong Kong electoral system

The second e-mail the hackers sent contained a message about a Hong Kong University alumni group concerned about a referendum vote to appoint a pro-Beijing vice chancellor.

?EU?This backdoor, known as Lowball, uses the legitimate Dropbox cloud-storage service to act as the CnC server,?EU? FireEye wrote in a blog. ?EU?It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.?EU?

Ultimately, the hacker group checks on its Dropbox account to see if there are any responses from victims' machines. When the Lowball malware calls back to the Dropbox account, the attackers create a file that carries commands...

Comments are closed.