Dropbox Used to Mask Malware Movement in Cyberespionage Campaign


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Chinese-speaking cyberespionage actors have targeted the Afghan government, using Dropbox for command-and-control (C2) communications and going so far as to impersonate the Office of the President to infiltrate the Afghan National Security Council (NSC), researchers have found.

According to a report published by Check Point Research (CPR) on Thursday, this is just the latest in a long-running operation that goes back as far as 2014, when the same threat actors also targeted the Central-Asian countries of Kyrgyzstan and Uzbekistan.

The suspected advanced persistent threat (APT) group has been dubbed IndigoZebra. Kapsersky researchers, for their part, included the APT among the list of Chinese-speaking actors listed in its APT Trends report for the second quarter of 2017.

At the time, Kaspersky said that the IndigoZebra campaign was targeting former Soviet Republics with “a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called ‘xCaon’.” According to Kaspersky’s 2017 report, the campaign shared ties with other well-known Chinese-speaking actors, though no definitive attribution was made at the time.

According to CPR, Thursday’s report is the first time that a fuller set of technical details relating to the operation have been publicly disclosed. Its report includes analysis of the xCaon backdoor, as well as the latest version, which CPR has christened BoxCaon and which uses the Dropbox cloud-storage service as a C2 server.