Threat Hunting Content: DropboxAES RAT Detection

Today we want to tell you about the DropboxAES trojan used by the APT31 group in cyber espionage campaigns and also give a link to the Community Sigma rule to detect this malware.

In general, DropboxAES does not stand out from the rest of the remote access trojan. This is a relatively new tool in the arsenal of APT31 (also known as BRONZE VINEWOOD). The malware owes its name to the usage of the Dropbox file-sharing service for its command and control communications. The APT31 group previously deployed the trojan with HanaLoader malware, but more about that in our next blog posts. The loader uses the DLL Search Order Hijacking technique to execute the final payload. DropboxAES RAT allows adversaries to upload files from the infected host to the C&C server, download files from the C&C server to the infected host, execute commands on the infected host via a non-interactive command-line based reverse shell, upload basic system information about the compromised host to the C&C server, and completely remove itself from the infected system.

Researchers discovered the trojan in a campaign targeted at legal, consulting, and software development organizations. They believe that attackers are interested in government or defense supply chains. 

APT31 as a Chinese threat actor specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. 

Ariel Millahuel released new threat hunting rule that uncovers the presence of this persistent malware in organization’s network: https://tdm.socprime.com/tdm/info/LshSYr8uLWtf/SbsfKXMBPeJ4_8xcqH6l/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)