Danish-speaking users hit by malware spread via Dropbox links

Pierluigi Paganini March 11, 2017

Danish-speaking users were infected by malware spread through Dropbox, but the company quickly adopted the countermeasures to stop the attack.

According to the experts from security firm AppRiver, Danish-speaking users were hit by an unusual malware-based attack.

The attack hit Denmark, Germany, and several surrounding Scandinavian countries on Wednesday morning.

Danish-speaking users were infected by malware spread through Dropbox, but the company quickly adopted the countermeasures to stop the attack.

“Early this morning, Denmark, Germany and several surrounding Scandinavian countries were hit with a large volume malware attack. The attack leveraged the legitimate cloud storage service Dropbox to host their malware payloads while attempting to disguise the links with random strings of characters and varying filenames.” reads the analysis shared by AppRiver. “In the past 12 hours, we have quarantined thousands of these messages, which only represents a small percentage of the total message volume.”Dropbox spamIt is not clear how threat actors have chosen the potential targets of the attack that I remind you is composed of Danish-speaking users.

The exploitation of Dropbox by crooks is not a novelty, an attacker can use spam messages containing links to cloud storage that points malicious files, they leverage on the fact that usually there are no restrictions on the Dropbox traffic.

The researchers noticed that the attackers used a unique link for each malicious message on the hacking campaign, this circumstance suggests the attackers used an automated script to randomly create the Dropbox file shares.

The researchers discovered that the attackers sent out messages claiming to provide shipping details and a fake invoice. The links included in the messages point to a .zip archive that contained a JavaScript file which contained a Trojan dropper.

“Lately we have seen more email providers tighten restrictions on what type of files can be sent/received as an attachment. In response, malware distributors, whom are always looking for a weakness to exploit, have embraced file sharing as an alternative means to distribute those malicious files. We expect this trend to continue throughout the year.” continues the analysis.

Troy Gill, security analyst at AppRiver, explained that Dropbox quickly replied to the attack, after two hours almost all the malicious links were disabled.

“I would say that after about an hour, we saw a lot of the links disabled,” he said. “After two hours, I was hard press to find a link that wasn’t disabled.”

Crooks sent out hundreds of thousands, maybe millions of messages.

How to protect companies from such kind of attacks?

Businesses can use spam filters, but a more aggressive approach implies the ban of emails embedding Dropbox links.

“If you wanted to be aggressive, you could ban inbound Dropbox content links,” he said. “And if you decided that your organization wasn’t going to use it, you could easily make a change to your spam filter or your web filter to block access to Dropbox entirely.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DropBox, spam)

you might also like

leave a comment