While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug).
From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking.
To explain load / search order hijacking, when an executable file first runs on a Windows system, DLL files are imported, adding extra functionality to the file. The running binary will first check the local directory to import the file, and if that doesn’t exist, it will continue down the path of execution of the system’s %PATH% variable, which includes C:windows, C:windowssystem32, etc. In the case of legitimate file explorer.exe, this file resides in C:windows. If an attacker crafts a malicious DLL such as ntshrui.dll with the correct export functions, an attacker can use this both as a persistence mechanism with the same permissions as explorer.exe.
Back to how PlugX uses this. As mentioned by Trend Micro, NvSmart.exe is a legitimate file from Nvidia. By using a DLL named NvSmartMax.dll, an attacker can load the RAT using the legitimate file.
“How difficult would it be to find the original infection vector if the malware slept for a month or year before executing?”
In the targeted Taiwanese attacks using PlugX, attackers used Dropbox as a side channel, allowing the malware to update configurations over Dropbox. And to make finding an infection even harder, did I mention it has a ticking time bomb feature as well? How difficult would it be to find the original infection vector if the malware slept for a month or year before executing?
From a forensics perspective, finding the malware in your network can difficult. One way to find these attacks would be to look for legitimate files, such as NvSmart.exe, in directories it shouldn’t be. If a user has this file and no other Nvidia files, this would be something to investigate. If a company is breaking SSL, they may be able to look for traffic to and from Dropbox that shouldn’t be taking place.