We have already seen attacks in which bad actors use the popular cloud storage, a few days ago Trend Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service too.

“The threat actor used the cloud-based file-sharing service offered by Dropbox to host four separate pieces of the payload for the exploit. We reported these links to the Dropbox security team who confirmed that they disabled the file share links. We believe the londonpaerl.co.uk and selombiznet.in domains act as command and control servers.” reported Cisco in a blog post.

Hackers have leveraged a consolidated technique using Visual Basic for Applications, to conduct the attack.

“In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.” states the post.

Cisco announced that next week it will provide more information on the group responsible for the attacks, on the exploits used in the offensive, including data on the malware used by attackers and obfuscation techniques implemented.

Pierluigi Paganini

(Security Affairs –  Cisco, cybercrime)0