Security News > 2021 > July > Dropbox Used to Mask Malware Movement in Cyberespionage Campaign
Chinese-speaking cyberespionage actors have targeted the Afghan government, using Dropbox for command-and-control communications and going so far as to impersonate the Office of the President to infiltrate the Afghan National Security Council, researchers have found.
At the time, Kaspersky said that the IndigoZebra campaign was targeting former Soviet Republics with "a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'." According to Kaspersky's 2017 report, the campaign shared ties with other well-known Chinese-speaking actors, though no definitive attribution was made at the time.
Using the legitimate Dropbox API helps to mask the malicious traffic in the target's network, researchers said, given that there are no communications with oddball websites showing up.
Based on similarities in code and functionality, the researchers determined that the BoxCaon backdoor is a variant of the same xCaon family that Kaspersky referenced in its 2017 report - "Hence the name," they said.
The Dropbox variant was spotted targeting officials in the Afghan government, while the HTTP variants were going after political entities in Kyrgyzstan and Uzbekistan.
"This time, we've detected an ongoing spear-phishing campaign targeting the Afghan government," he said via email.
News URL
https://threatpost.com/dropbox-malware-ongoing-spearphishing-cyberespionage/167402/