A new form of malware that targets mass media agencies has been discovered by researchers at the US-based security firm FireEye. The malware was detected in Hong Kong where it was being used to target a small number of media agencies with the initial targets of the attack being newspapers, radio stations and television studios.
The malware leaves a user vulnerable by offering a backdoor to their system. The way in which this is achieved is unique because its command and control or C&C server is hidden inside Dropbox accounts. FireEye was able to trace the malware back to a group of hackers by the name 'admin@338' who are believed to have ties with the Chinese government.
This group has previously targeted international organisations from the financial, economic and trade policy sectors. In the past, amdin@338 has employed spear phishing campaigns to infect users with Remote Access Trojans (RATs) such as Poison Ivy. In this latest string of attacks the scope has been narrowed possibly to target media agencies who supported last year's protests in Hong Kong.
The group often includes booby-trapped word documents in emails sent to victims with information about anti-Chinese and pro-democracy topics. The word documents contain the CVE-2012-0158 Microsoft Office vulnerability which allows the hackers to install the LOWBALL malware onto the PC's of unsuspecting users.
This recent attack was particularly unique because the C&C server was located inside of a Dropbox account as opposed to somewhere else online. FireEye worked alongside Dropbox to halt the initial campaign that occurred in August but now both companies have become aware of a new series of ongoing attacks.
Currently the security firm has identified over 50 machines that are being targeted by these attacks.
Image source: Shutterstock/wavebreakmedia