CLAMBLING - A New Backdoor Base On Dropbox (EN)
In July 2019, one of our customer’s company suffering the APT attack and we start the investigation immediately. During the investigation we found a brand new backdoor sample, which implements lots of features by using Dropbox API, using Dropbox like a C&C server. After the reverse engineering, we extract the Dropbox token used by the sample, dig into Dropbox folder, and reveal the whole functional structure.
This article is published on Talent-Jump Technologies, Inc. simultaneously.
The report is co-authored with Trend Micro.
Kenney Lu, Daniel Lunghi, Cedric Pernet, and Jamz Yaneza. (17 February 2020). Trend Micro. “Operation DRBControl - Uncovering A Cyberespionage Campaign Targeting Gambling Companies In Southeast Asia”
Table of Contents
- First Stage Infection
- Sample Analysis
- Inside of Dropbox Folder
- Second Stage Infection
The threat actor uses Windows Defender Core Process
MsMpEng.exe which has a legal digital signature to load the malicious DLL file. Load the shellcode from the payload file then release the final malicious executable to complete the first stage infection.
During the investigation, we found a total of 8 different loader’s filenames [Appendix 1] renamed from
MsMpEng.exe and placed at
C:\ProgramData\Microsoft in its separated folder. The loader is just called the function
ServiceCrtMain imported from
The malicious DLL file
mpsvc.dll has two types [Appendix 2]. The older type will try to read shellcode from payload file
English.rtf, decode and decompress the content using
RtlDecompressBuffer to release the final executable (Figure 1).
The newer one has a different way to start the infection. There is a piece of shellcode hard-coded in the
mpsvc.dll, after decoding the shellcode from
mpsvc.dll, it will inject and execute to load the shellcode from
mpsvc.mui (Figure 2), which will release the final executable and inject into the process.
Both of these two types of
mpsvc.dll will release a full functional backdoor, which can connect to the C&C server. But the final executable released by a newer type of
mpsvc.dll has some upgrade, including the function to interact with Dropbox API. The following article will focus on the malicious executable released by the newer type of
The hardcoded shellcode in a newer type of
mpsvc.dll will first allocate 0x80000 bytes of memory space. Getting the current module’s full path and replace the extension
mui and read the shellcode in this
mui file, then jump to the base address of
mui file plus its first byte. (Figure 3)
In the end, the shellcode in
mpsvc.mui has another different piece of hard-coded bytes, which will decompress by
RtlDecompressBuffer to the final malicious executable (Figure 4).
The final malicious executable sample we extracted has numerous features. Here is the analysis of some major functions.
This sample can bypass UAC via .NET. It is not a new technique which was disclosed in 2017 , the threat actor only changes the GUID to
9BA94120-7E02-46ee-ADC6-10640B04F93B (Figure 5) and specify the location of DLL file which will load by the .NET application in the elevated process.
There are two ways to persist. Register as a startup program in
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run if it has no privileged (Figure 6). Otherwise, it will register itself as a system service (Figure 7).
It will collect some basic information like IP address, hostname, username, OS version and so on. Also, it will search the registry key’s value
HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt and try to look for the wallet address if exist (Figure 8). All of this information will upload to Dropbox as
%Y-%m-%d %H-%M-%S.log, below is a file sample:
Lan IP: x.x.x.x
This sample acquired three types of recording features, including key-log, clipboard log, and screen recording. The screen recording file naming format is
[%y-%m-%d] %H-%M-%S.avi. The key-log and clipboard log will encode by different key and salt, then save as
<hash>.pas for key-log and
<hash>.log for clipboard log (Figure 9).
This sample can also connect to a specific C&C server and send back data by using a fake HTTP POST request (Figure 10).
The RTTI information remaining, here is the full class name list we got:
During reverse engineering, we found that the Dropbox API token with 64 characters is hardcoded in stack string (Figure 11).
Besides connecting to the C&C server, this sample can also upload & download with Dropbox API. Especially when the log file is uploaded, it will try to download
bin.asc and check the file has fake
GIF file header or not. If everything is correct, it will continue to the custom decoding phase, which will calculate with an array of bytes hard-coded in the sample, to release the inject payload (Figure 12).
After we got the Dropbox token, we can now dig into Dropbox by using official API, for example, list the account information which creates this token, list the full file and folder information.
In the Dropbox, the folder structure like this:
Each infected victim has its folder named by unique hash
/[0-9A-z]/, this hash is generated by machine key and some other information.
%Y-%m-%d\ %H:%M:%S.log is the log file upload by the victim.
*.asc is the file upload by the threat actor. For example,
bin.asc is the payload download by the victim when the log file is upload succeeds.
Sort out the log file on Dropbox, we can get the full list of infected computers (Figure 13).
After the first infection stage completed, it will persistent itself as a system service or autorun program. Collecting information and establish a connection to the C&C server. The most interesting part is each time when the log file is upload succeeds, it will try to download
bin.asc from each computer’s unique folder. Most of
bin.asc we captured is requesting the victim to download
x64bin.asc file from Dropbox.
Further analysis of
x64bin.asc, we found the second Dropbox API token, its purpose is different from the first one. Now the threat actor is ready to use Dropbox as another C&C server with the full backdoor feature.
The second infection stage’s sample has some bonus features including the ability to interact with Dropbox, the command code mapping show as below:
In these commands, there are three different files, each of these file has specific filename and purpose:
eLHgZNBH: The status file, upload to Dropbox at regular intervals.
yasHPHFJ: The command file, containing command and arguments.
csaujdnc: The execution result of the command.
The status file
eLHgZNBH contain the basic information about victim and timestamp, upload to Dropbox at regular intervals. Whenever status file upload succeeds, it will try to download the command file
yasHPHFJ if it existed. Extract the command code and arguments from
yasHPHFJ then execute the command and upload the execution result to Dropbox as
csaujdnc (Figure 14).
By using this control flow, the threat actor can use Dropbox as a C&C server to control the victim’s computer even the fixed connection between the specific C&C server’s IP address has been found and blocked. Unless we block
api.dropboxapi.com, otherwise we can not isolate the infected computer.
The Dropbox API remain the detail of each file and folder, for example this is a file information return by Dropbox API:
It contains the server_modified timestamp even with history revision file id, we can use
rev to list the full history of this file and download it. Sort out this information and the command code mapping, we can now list the full command executed on each computer and its arguments. Here is two computers’ execution list (Figure 15 & 16).
According to these record, the threat actor follows almost the same action on every infected computer. First, download additional attack programs from Dropbox, like
mimikatz or other UAC bypass tools. Second, search the high-value file including private source code, config file, database, and the key-log / clipboard log. Upload all of these files to Dropbox for further searching. Last but not least, infiltrate the company intranet or even the cloud service.
Combining all decoded
yasHPHFJ files, we can show the threat actor’s approximate working hours (Figure 17).
We start to monitor the Dropbox for each token and parse the infected computer’s list, here we can see the infected computer’s number from July 2019 to September 2019 this two month (Figure 18 & 19).
We got nearly 200 infected computers at the highest peak from Dropbox A, alone with nearly 80 computers from Dropbox B. Both of these static has a drop at August 21, 2019, the threat actor clear the Dropbox folder for some reason. Monitoring ends on September 20, 2019, all tokens we got are revoked by the threat actor.
During these two months, we got five different Dropbox token. Each of these tokens has its purpose. The first two tokens are the major one we discuss in this article, others are more like for testing.
From the first infection stage, established the connection between the C&C server and Dropbox at the same time. If the IP address of the C&C server been blocked, it can still have limited control from Dropbox. Once it completed the second infection stage, Dropbox is turning into a second channel C&C server which has full remote control features (Figure 20). Steal the data and infiltrate the whole company. This method is not complex but very useful.
- DLL & Payload File
- UAC bypass via elevated .NET applications
- Dropbox for HTTP Developers
- Kenney Lu, Daniel Lunghi, Cedric Pernet, and Jamz Yaneza. (17 February 2020). Trend Micro. “Operation DRBControl - Uncovering A Cyberespionage Campaign Targeting Gambling Companies In Southeast Asia”