Dropbox And WordPress.com – Infrastructure For Malware Attacks

Network security is one of those things in life I find fascinating. It’s a constant battle between good and evil. Just when the good guys think they have things figured out, the bad guys change their techniques. With all of the good that comes from using Cloud based services, there is also the other side of the coin. Cybersquared, a company dedicated to network and cyber security published a report with their findings on how today’s attackers are using what they call, Service Profile Infrastructure to facilitate command and control a.k.a. C2 phases of attack.

In this report, it was highlighted that a Chinese Advanced Persistent Threat group used Dropbox and its file sharing notification feature to email links to targets that contained malicious binaries. This was considered phase 1 of the attack. Phase 2 worked with a WordPress.com hosted blog which acted as the command and control center. Once the malicious binaries were in use, the malware contacted the blog which hosted content that contained the IP address as well as the port number to receive commands from.

Here is a screenshot from the WordPress.com account mentioned in the report. The site is still online but I don’t know if it’s actively being used in malware attacks. Clearly, the site has been in violation of the WordPress.com TOS for a long time. Specifically this section – the Content does not contain or install any viruses, worms, malware, Trojan horses or other harmful or destructive content; (It’s since been suspended)

Gressered Website

Once a victim was successfully targeted with the “Yayih” implant, the malware contacted a WordPress blog. It would then read attacker staged content from within the blog posting to obtain a secondary domain, IP address and port number of a second stage C2 host.

In this example at “gressered.wordpress[.]com”, we found multiple blog posts, all of which had likely served as content for specific targeting campaigns. The same C2 configuration was “hiding in plain sight”. However, it is entirely possible that the attackers could have modified the second stage C2 configuration at any point previously. The earliest post was dated July 31, 2012, suggesting that this specific blog has been in use for nearly a year as a first stage interaction point.

Many of the blog posts that contained the C2 configuration were associated with news articles related to geopolitical events, likely of interest to potential targets.

I can’t emphasize enough that no vulnerabilities in WordPress were used to carry out these attacks. This report shows that cloud services such as Dropbox and websites such as WordPress.com which are usually whitelisted are being used as infrastructure to carry out attacks. I encourage you to read the full report as it breaks down the process step by step.

5 Comments


  1. From their About page:

    Cyber Squared stops sophisticated cyber threats by putting actionable threat intelligence into the hands of cyber defenders.

    Security is a naturally fascinating topic for many. And not just on networks & computers.

    Security-interests & pursuits drive culture & institutions in specific ways. It prioritizes & rewards competence. It recommends certain habits & practices, and warns against others.

    That there are real hostile actors, that the ‘little guy’ can do so much to enhance security, and that her own assets receive the benefit of her efforts, is downright charming.

    That network security cannot be provided by career personnel in uniform, and is not the province of a Federal agency (like medicines or the airspace), means that our own responses to it will influence Internet development & evolution.

    Security-interests are antithetical to the dummied-down Internet-consumerism some crave.

    Report


  2. FYI:
    The WordPress.com site mentioned has now been suspended for violation the TOS
    Plus One for the good guys :)

    Report


  3. The site has been suspended… Which is good of course, but I don’t think that is nearly enough.

    I was spam-bombed into a total reload on my first site ever. Personally I think those that do this sort of thing are guilty of burglary of a business with intent to steal, even if the site is not commercial in nature. The theft is the attempt to pick the pockets of your readers, the burglary is in the bypassing of deliberate protections through deliberate actions and intent. But…

    None of that will ever happen of course, because “this is just advertising tactics” is the lie that we are conditioned to think automatically.

    Thanks to the OP for the post. May I repost this on Disinfo [.] com?

    Report


  4. Hey Jeffro thanks for highlighting this, the WordPress.com TOS team has taken a look at this site and we are also investigating to see if there are more related sites we should be shutting down.

    In future you can always report sites like this via the “Report this Content” option in the toolbar site menu when logged in to WordPress.com or via http://en.wordpress.com/complaints/.

    Report


  5. @Peter Westwood – Noted. Thanks for suspending the site. In the report, they mentioned that had contacted the services being used in a malicious way so I assumed that WP.com had been contacted and just thought it was weird that the site was still online. I’ll keep that report link in mind the next time I come across a questionable site though.

    Report

Comments are closed.