The latest example of an advanced persistent threat exploiting a legitimate cloud service to deliver a malicious payload was recently unearthed by researchers at Trend Micro. As a follow up of a campaign targeting several European countries, discovered in July 2023 and attributed to the APT Earth Preta (also known as Mustang Panda and Bronze President), the researchers have discovered a new cluster of activities, which took place in 2022 and 2023, targeting several countries in Asia including Taiwan, Vietnam, Malaysia, and other Asian countries.
The main characteristic of this campaign is the adoption of a new customized PlugX malware, named DOPLUGS, but an interesting aspect is also the adoption of a multi-stage delivery mechanism where a legitimate cloud service, Google Drive, is abused to deliver the first-stage payload.
In fact, the initial attack vector of the latest wave of this campaign, taking place since July 2023, is a spear-phishing email with a Google Drive link that hosts a password-protected archive file, which initiates the process that eventually leads to the download of the DOPLUGS malware.
Interestingly, this threat actor is particularly active against South Pacific organizations. A similar campaign which led to the successful compromise of a Philippine government organization was discovered in August 2023, and even in that case the attackers adopted a similar modus operandi, exploiting Google Drive to host the malicious files.
Mitigating the Risks of Malware Delivered from Legitimate Cloud Services
Google Drive is one of the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and Data Loss Prevention. It is also one of the hundreds of apps for which instance detection is available. So, in cases where this service or a similar cloud storage app is not needed by the organization, but is exploited by external attackers to deliver a malicious payload or to host the command and control infrastructure, it is possible to configure a policy for preventing potentially dangerous activities (such as “Upload” and “Download”), singularly or as a category (whether it is a personal or corporate instance). On the other hand, if the app is in use by the organization, it is possible to configure a policy for preventing any risky activities from non-corporate instances only, mitigating the risk of malware delivery and data exfiltration.
Netskope customers are also protected against malware distributed from similar legitimate cloud services (and the web in general) by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning detectors for executables and Office documents, and sandboxing with patient zero protection. Netskope threat intelligence can also detect connections towards a malware distribution point or a command and control infrastructure, even if they are directed to a legitimate cloud service. The threat protection capabilities can be augmented through Netskope Cloud Exchange, which provides powerful integration tools to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds, endpoint protection and email protection technologies.
Netskope Cloud Exchange provides powerful integration tools to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds, endpoint protection and email protection technologies.
Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or the risk of becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.
Stay safe!