Threat Analysis

DropboxAES Remote Access Trojan

The following analysis was compiled and published to Threat Intelligence clients in March 2019. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT, to increase visibility of the threat group's activities.

Summary

DropboxAES is a simple remote access trojan (RAT) used by the BRONZE VINEWOOD (also known as APT31) threat group. The RAT uses the Dropbox file-sharing service for its command and control (C2) communications. The sample analyzed by Secureworks® Counter Threat Unit™ (CTU) researchers is executed via DLL search-order hijacking. Once executed on a host, DropboxAES RAT enables a threat actor to remotely perform the following actions:

  • Upload files from the infected host to the C2 server
  • Download files from the C2 server to the infected host
  • Execute commands on the infected host via a non-interactive command-line based reverse shell
  • Upload basic system information about the compromised host to the C2 server
  • Completely remove itself from the infected host

BRONZE VINEWOOD's tactics

BRONZE VINEWOOD campaigns have targeted legal, consulting, and software development organizations. CTU™ analysis suggests that organizations that are part of government or defense supply chains or that provide services to organizations in those verticals may be at higher risk of targeting than organizations in other verticals.

In addition to Dropbox, BRONZE VINEWOOD has used other popular social media and code repository sites to hide malicious activity among legitimate network traffic. CTU researchers have also identified previous BRONZE VINEWOOD campaigns utilizing DLL search-order hijacking to deliver the HanaLoader downloader tool and other malicious payloads.

DropboxAES RAT technical details

Despite BRONZE VINEWOOD naming the malware DropboxAES RAT, the version analyzed by CTU researchers does not use the Advanced Encryption Standard (AES). Rather, it implements a ChaCha20 stream cipher to encode and decode data. Older versions of the malware may have leveraged AES encryption when encrypting data.

The following sections describe how DropboxAES RAT builds its malicious payload, prepares its working environment, establishes persistence, gathers information about the compromised system, and interacts with the Dropbox-based C2 server.

Decoding and executing the DropboxAES RAT executable

The analyzed sample starts the infection chain with two files:

  • asOELnch.exe — a legitimate signed Symantec antispam executable
  • MSVCR100.dll — a malicious DLL that acts as a sideloader for DropboxAES RAT

When executed, asOELnch.exe loads MSVCR100.dll, which results in execution of the malicious sideloader. This sideloader verifies it is running within the context of asOELnch.exe and then Base64-decodes a large data blob appended to the end of MSVCR100.dll. The Base64-decoded result is decoded again using an RC4 stream cipher, resulting in a fully decoded executable that is the DropboxAES RAT (see Figure 1). The sideloader then creates a suspended instance of the parent executable (asOELnch.exe), injects the decoded DropboxAES RAT executable into the suspended instance, and runs the injected executable.

Figure 1. DropboxAES RAT executable before and after RC4-decoding. (Source: Secureworks)

Startup environment validation

The decompiled pseudocode of DropboxAES RAT's main function (see Figure 2) shows minimal initial functionality. DropboxAES RAT hashes the current executable's path and filename (lines 15 and 16) and returns a two-byte hexadecimal value. The hexadecimal value is converted to a lowercase string and is used as the mutex name in the CreateMutexA call (line 18).

Figure 2. DropboxAES RAT's decompiled main function pseudocode. (Source: Secureworks)

As an example, DropboxAES RAT expects to be executed in memory by its loader. Therefore, the executable path and filename should be similar to C:\Users\Example\Desktop\asOELnch.exe. The hashing algorithm uses the path and filename combination results to generate the hash 0x713E. This hash is converted to a lowercase string and is used as the Name argument in the call to CreateMutex (see Figure 3).

Figure 3. DropboxAES RAT mutex creation using hashed path and filename value as the Name argument. (Source: Secureworks)

If mutex creation is successful, meaning there are no other running instances of DropboxAES RAT, then DropboxAES RAT checks its configuration for the name of the subfolder and INI file within a specific subfolder in the %AllUsersProfile% folder. In the analyzed sample, the configuration value was the string “Service” (see Figure 4), so the checked path and filename was “C:\ProgramData\Service\Service.ini”. If the specified INI file does not exist, DropboxAES RAT sets up its working environment and persistence.

Working environment and persistence setup

DropboxAES RAT sets up its working environment by first creating a subfolder within %AllUsersProfile% using the name “Service” specified in its configuration (see Figure 4). The malware sets the Hidden and System attributes, copies the original executable (asOELnch.exe) and DLL (MSVCR100.dll), and creates a file named Service.ini in this subfolder. The Service.ini file contains a single integer, which is specified at the beginning of the DropboxAES RAT configuration (e.g., 0x3E8 hex = 1000 decimal). CTU researchers believe this value may be a campaign identifier.

Figure 4. DropboxAES RAT configuration highlighting the values used in folder/file creation as well as the integer to be stored within the INI file. (Source: Secureworks)

For persistence, DropboxAES RAT first tries to create a Windows Service named with the same “Service” string used for the %AllUsersProfile% subfolder and the INI file (see Figure 5). The malware sets the executable path to the legitimate executable copied to the %AllUsersProfile%\Service\ directory and sets the description of the service to “Helps protect users from malware and other potentially unwanted software.” The service description is also a value derived from the configuration data. Once the malware has created the Windows Service, it is started.

Figure 5. Service created by DropboxAES RAT for persistence. (Source: Secureworks)

If service creation fails, DropboxAES RAT implements persistence by creating an entry named “Service” in the registry's HKCU Run key (see Figure 6). The malware then runs the executable that it just copied into the configured working directory at %AllUsersProfile%\Service\ via a call to Kernel32.WinExec.

Figure 6. DropboxAES RAT registry Run key created for persistence. (Source: Secureworks)

With the new malware instance running via either Windows Service or a call to WinExec, DropboxAES RAT drops and executes a batch script named del.cmd within the %AllUsersProfile% path (see Figure 7).This file deletes the executable and DLL files from the original executed path. DropboxAES RAT's use of the ‘del' command potentially allows for the deleted files to be forensically restored as it does not perform a secure delete.

Figure 7. Contents of del.cmd dropped and executed by DropboxAES RAT. (Source: Secureworks)

Once DropboxAES RAT has set up the working environment, established persistence, and removed the original artifacts from the compromised system, the malware terminates itself in favor of the new running instance launched from the configured working directory.

Information gathering

DropboxAES RAT gathers basic information about the host prior to establishing communication with its C2 server. First, it generates a “uuid” value by appending the mutex value to the lowercase MAC address for the host's network adapter. For example, if the MAC address for the host is “00-0C-29-06-65-9F” and the mutex value is “713e”, the resulting uuid value is “00-0c-29-06-65-9f-713e”.

Next, DropboxAES RAT obtains the hostname, username, internal IP address, and operating system version of the infected host. It retrieves an integer value specified in its configuration, which is also present within the INI file, and formats the data into a JSON data structure:

{
"uuid":"00-0d-28-06-65-9f-713e",
"pcname":"example-hostname",
"user":"example-username",
"ip":"10.11.12.13",
"os":"Windows 8",
"time":1000
}

The collected data is encoded with the ChaCha20 stream cipher, which is partially identified by the constant “expand 32-byte k” within the code (see Figure 8). The resulting encoded data is then Base64-encoded.

Figure 8. DropboxAES RAT ‘expand 32-byte k' constant in the ChaCha20 stream cipher code. (Source: Secureworks)

Dropbox authentication and C2 folder

DropboxAES RAT is proxy aware. Prior to establishing C2 communications, it determines if the system is configured to use a proxy by inspecting the contents of the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer registry key value. If a proxy is configured, DropboxAES RAT uses these settings in its network configuration.

DropboxAES RAT needs to successfully authenticate to Dropbox to interact with the file-sharing service. To achieve this authentication, the malware obtains the Authorization token specified within its configuration (see Figure 9) and includes the value in the Authorization HTTP header. The following is the partially redacted Authorization token in the analyzed sample's configuration:

ZFcL0-4v7MAAAAAAAAAACv<REDACTED>80ulQAuXacLPU-MV7-5I-9S

This token results in the following Authorization HTTP header value:

Authorization: Bearer ZFcL0-4v7MAAAAAAAAAACv<REDACTED>80ulQAuXacLPU-MV7-5I-9S

A valid Authorization token value allows DropboxAES RAT to view, download, upload, and delete files located in Dropbox folders owned by the threat actor.

The name of the remote folder on Dropbox that DropboxAES RAT uses for C2 communications is also specified within the configuration. In the analyzed sample, the folder value was “dhsludfjdrdgd”.

Figure 9. Dropbox Authorization token and C2 folder specified in the DropboxAES RAT configuration. (Source: Secureworks)

Before uploading the encoded host information, DropboxAES RAT checks if an “online” file for this host already exists. For example, using the uuid generated from the analyzed example, the online filename would be “online#00-0d-28-06-65-9f-713e#.txt”. If an online version exists, the malware deletes it from the C2 server. The malware then uploads the encoded host information to the C2 server using the same “online” filename.

DropboxAES RAT searches the C2 folder on Dropbox for “job” files that contain commands issued by the C2 server. The search looks for files that contains the uuid value associated with the infected host. DropboxAES RAT downloads and processes any job files it finds that match the specific filename format (e.g., job#<uuid>#<command_id>#<job_id>#.txt). A switch statement uses the command integer specified in the job filename to determine which command should be executed (see Figure 10).

Figure 10. Decompiled pseudocode for DropboxAES RAT C2 command switch statement. (Source: Secureworks)

Table 1 describes the command values supported by DropboxAES RAT and their purpose.

Command value Command description
2 Run the specified command via a call to kernel32.CreateProcessA
3 Download the specified file from the C2 server
4 Upload the specified file to the C2 server
5 Resend the uuid, hostname, username, IP address, operating system data, and the integer found in configuration data to the C2 server
6 Remove all traces of DropboxAES RAT from the compromised system, including deleting the ‘online' check-in file present on the C2 server, removing all persistence mechanisms (registry Run key and Windows Service), performing a shallow deletion of DropboxAES RAT executables via the del.cmd batch script, and terminating the currently running DropboxAES RAT executable

Table 1. Valid DropboxAES RAT commands.

After DropboxAES RAT executes the command, the result or command output is encoded and uploaded to the C2 folder with a ‘back' filename (e.g., back###.txt). When completed, DropboxAES RAT continuously checks for the presence of another job file until the running DropboxAES RAT process is terminated. DropboxAES RAT establishes C2 communication using raw sockets via the libcurl library statically compiled into the binary. As it does not rely on libraries resident on the infected host, traces of DropboxAES RAT's historical network activity will be minimal or nonexistent.

DropboxAES RAT C2 files and formats

DropboxAES RAT utilizes the Dropbox online service for C2 communications by uploading and downloading documents stored in the configured folder on the Dropbox server. Table 2 summarizes all of the files that DropboxAES RAT uses for its C2 communications. They are listed in the order they occur.

Format Example Description
online##.txt online#00-0c-29-06-65-9f-ce8a#.txt Uploaded to the C2 server by the compromised host at initial check-in. The uuid value is unique and associates all C2 communication for the compromised host. The file contents contain ChaCha20 and Base64-encoded data about the compromised host.
job####.txt job#00-0c-29-06-65-9f-ce8a#2#gyK0slzo#.txt Placed on the C2 server by the threat actor. Downloaded and processed by the compromised host matching the uuid specified in the filename. In this example, the command order is denoted as the number 2 between the # symbols in the filename. The file contains arguments for the command and must be Base64 and ChaCha20-decoded before the arguments can be used by the malware. The random string at the end of the filename acts as a job ID that the threat actor uses to associate responses with issued commands.
back###.txt back#00-0c-29-06-65-9f-ce8a#gyk0slzo#.txt Uploaded to the C2 server by the compromised host. Contains the output for the command issued by the corresponding job file on the C2 server. The job ID appended to the end of the filename matches the job ID specified in the job file that originally issued the command. Prior to being uploaded to the C2 server, the command output is ChaCha20 and Base64-encoded.

Table 2. DropboxAES RAT files.

DropboxAES RAT configuration values

Table 3 summarizes the key values contained within the DropboxAES RAT configuration.

Value Purpose
0x3E8 (1000) Integer stored in the INI file. Used as the time value in the JSON sent to the C2 server within the online file. CTU researchers believe this value to be a campaign or target identifier.
AAert35ioplmnbvcxzasdfghjk&*cvvv Secret key used for ChaCha20 encoding and decoding.
Service String used for:
  • %AllUsersProfile% subfolder name
  • INI filename
  • Service name used for persistence
  • Registry Run key value name used for persistence
Helps protect users from malware and other potentially unwanted software Description of service used for persistence
ZFcL0-4v7MAAAAAAAAAACv<REDACTED>80ulQAuXacLPU-MV7-5I-9S Dropbox API Authorization token
Helps protect users from malware and other potentially unwanted software Description of service used for persistence
dhsludfjdrdgd Subfolder on Dropbox containing C2 files

Table 3. DropboxAES RAT configuration values.

Threat indicators

The threat indicators in Table 4 can be used to detect activity related to the DropboxAES RAT.

Indicator Type Context
76d4866c5ff6d821313e1461b7875544 MD5 hash DropboxAES RAT loader DLL
406353b156239ed08b27de0c38d16dfc6d031d88 SHA1 hash DropboxAES RAT loader DLL
ebdf52e13e69435ea7a85c9e38ac1f5045c32fe30d4e5aa66149a5
3054183f7f
SHA256 hash DropboxAES RAT loader DLL
8f0fcb5a80b2bca62d79f0d1cbdc93fb MD5 hash DropboxAES RAT executable
9c162e042e0a892924f8415f7d72fe4f966bae7d SHA1 hash DropboxAES RAT executable
f34725937839ae6c0470596e9c81b4572e2361737fbdb3a13983
a25dfabd1c3a
SHA256 hash DropboxAES RAT executable

Table 4. Indicators for this threat.

Conclusion

DropboxAES RAT is a simple but effective remote access trojan that lets a remote threat actor control a compromised host using primitive commands. When these commands are utilized together, the malware exhibits great flexibility and capability. The use of Dropbox for C2 communications and the generic configurable artifacts on disk make detection and prevention of DropboxAES RAT activity extremely difficult, if not impossible. Detection is especially challenging for organizations that use Dropbox for business purposes within their environments.

Back to more Threat Analyses and Advisories

Additional Resources

TRY TAEGIS TODAY!

See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.