Hackers with ties to China have been targeting the emails of Afghan security officials with malware meant to scoop up everything on their desktop, according to a Thursday report from researchers at Check Point.
In an example shared by researchers, a hacker sent a malicious file to an official at the Afghanistan National Security Council posing as someone from the administrative office of the president of Afghanistan. The email requested the recipient review an attachment that was purportedly about an upcoming press conference.
Once clicked, that attachment opened the first file on the victim’s desktop while simultaneously opening a backdoor onto the computer, Check Point said.
From there, hackers had access to victim’s files and executed a scanner tool popular with multiple hacking groups, including the Chinese government-linked group APT10.
Based on the malware used by hackers, though, researchers believe with medium to high confidence that the attack was executed by a Chinese-speaking hacking group sometimes referred to as “IndigoZebra.” The group has, since 2014, targeted governments in Central Asia including Kyrgyzstan and Uzbekistan.
This is the first time the group’s techniques have been tied to an attack on the Afghan government and Check Point researchers aren’t ruling out additional possible victims.
Notably, the hackers used Dropbox folders as the system to communicate between their system and the infected computer. Since the traffic appeared as coming from Dropbox, a legitimate file-sharing service, it didn’t set off any red flags. It speaks to how attackers are innovating to avert security safeguards.
“The trend is not just a usage of Dropbox, but any way to fly under the security radar,” says Check Point malware analyst Alexandra Gofman.
Researchers at Proofpoint also recently flagged a rise in cybercriminals turning to trusted services like Dropbox and Google Drive to send malware while avoiding security concerns.
Gofman says that Check Point is working with Dropbox to make sure that hackers can no longer use the company’s system to run the malware.