The Chinese cyberspies behind the espionage campaign against The New York Times had also used Dropbox and WordPress.
The 'DNSCalc gang' has been using the Dropbox file-sharing service for roughly the last 12 months as a mechanism for spreading malware, said Rich Barger, chief intelligence officer for Cyber Squared.
The gang is among 20 Chinese groups identified this year by security firm Mandiant that launch cyberattacks against specific targets to steal information.
The attackers did not exploit any vulnerabilities in Dropbox or WordPress. Instead, they opened up accounts and used the services as their infrastructure. They uploaded on Dropbox a .ZIP file disguised as belonging to the U.S.-ASEAN Business Council. Messages were then sent to people or agencies that would be interested in the draft of a Council policy paper. The paper, contained in the file, was legitimate.
When a recipient unzipped the file, they saw another one that read, "2013 US-ASEAN Business Council Statement of Priorities in the US-ASEAN Commercial Relationship Policy Paper.scr." Clicking on the file would launch a PDF of the document, while the malware opened a backdoor to the host computer in the background.
Once the door was open, the malware would reach out to a WordPress blog created by the attackers. The blog contained the IP address and port number of a command and control server that the malware would contact to download additional software.
The best prevention is for security pros to share information when their companies are targeted, so others can draw up their own defense.