Disguised as government papers, viruses sent by Chinese hackers have been making their rounds through Dropbox, a popular cloud-based Internet service that allows users to share files, in a new method detailed in a cyber security report published last week.
Hackers have grown more creative with their methods now that security teams are concentrating on weeding them out. The attacks are the work of DNS Calc, a Chinese hacker group that uses techniques similar to those of Comment Crew, the Chinese group behind the attack on the New York Times last year, says Cyber Squared, a security company based in Arlington, Virginia.
As the first step in their scheme, Chinese hackers signed up for Dropbox, uploaded the malware and sent an email invitation linking to it to their targets.
Using this technique, hackers were able to maintain anonymity, draw targets in with the credibility of the Dropbox brand, and avoid traditional anti-virus detection.
The hackers’ decision to hide the malware in an Association of South East Asian Nations (ASEAN) policy document, suggested targets were “individuals or representatives of regional member nations” of the ASEAN, a geopolitical and economic organization, according to the firm’s report.
Embedded in the Word document was what appeared to be an Adobe PDF but would actually make a fake PDF icon that would self-replicate onto the infected user’s hard drive.
A decoy PDF would also be downloaded, titled “US-ASEAN Business Council Internal Draft,” which, if real, must have been stolen from foreign policy officials—an example of how “sophisticated threats will often leverage stolen data,” according to the security report.
The replicated fake PDF icon on the hard drive would contact a WordPress blog that appeared to be an essay on geopolitics, the topic again suggesting that the hackers’ were targeting ASEAN representatives, but actually had hidden codes that requested another IP address.
The request would connect the computer to another host with even further directions, at which point Cyber Squared ended the attack to keep their computers from further damage.
In the face of these imaginative attacks, the old network and host-based security solutions are no longer enough. Detection of hacking threats now requires computer users to understand the methods and means of hackers, the security firm says.
Although hackers are experimenting with new platforms for spreading malware, a pattern of similar methods has been observed.
In April, the Comment Crew used fake PDF icons with a decoy PDF that detailed more geopolitics, this time an itinerary of an event hosted by the U.S. National Defense Industrial Association, a voluntary organization associated with the government and military.
In March, the Comment Crew made fake websites that resembled important South Korean government and education sites, in what analysts suspected to have been a bid for intelligence on South Korean operations during a sensitive time that culminated in North Korea’s declaration of war on the South.
This article has been updated to reflect the following corrections: the Chinese hacker group responsible for sending viruses through Dropbox is DNS Calc, not Comment Crew.