A sophisticated cyber espionage operation focused primarily within Ukraine reportedly uses malware that leverages Dropbox to exfiltrate stolen data, including conversations recorded by infected computers' audio microphones.
Industrial network cybersecurity firm CyberX confirmed last week that the campaign, dubbed Operation BugDrop, has successfully targeted at least 70 victims across various sectors, including critical infrastructure, media, and scientific research. Based on available evidence, CyberX researchers believe the campaign kicked off no later than June 2016 and still continues today.
According to a CyberX blog post, most of the Ukraine-based targets are located in the separatist states of Donetsk and Luhansk. But the reconnaissance campaign also spied on entities in Russia and, to a lesser extent, Saudi Arabia and Austria. Phil Neray, VP of industrial cybersecurity and marketing at CyberX, told SC Media in an interview that the geographical distribution of these attacks suggests three likely possibilities:
"The fact that a large number of targets were in the pro-Russian region of Ukraine to me indicates that it could be Ukrainians spying on pro-Russian Ukrainians. But it also could be Russians spying on Ukrainians because we saw [the campaign] targeting Kiev as well," said Neray. It's also possible that this could all be the work of a third-party cybercriminal group who is offering their hacking services for hire, he added.
Specifically, targets have included a company that designs remote monitoring systems for oil and gas pipeline infrastructures, an international human rights organization that monitors cyberattacks on Ukrainian critical infrastructure, an engineering company specializing in critical infrastructure, a scientific research institute, and Ukrainian newspapers.
One clue that might help attribution efforts is that DropBug largely resembles Operation Groundbait, a campaign reported by ESET in May 2016 that researchers identified as Ukrainian cyber espionage operation targeting pro-Russian individuals and assets. One key difference, however, is that DropBug employs more advanced tactics, including the use of cloud-based storage service Dropbox for data exfiltration.
"What's clever about that approach is that firewalls and other monitoring systems in your network won't typically block or monitor traffic going to Dropbox...because everybody uses them," said Neray. In contrast, the attackers behind Operation Groundbait created their own custom domains. "So if you saw traffic going to a domain that was either blacklisted or seemed suspicious, you could block that with a firewall or some other corporate blocking device. But Dropbox would go through innocuously."
Other innovative tactics include the use of reflective DLL injections – the same technique for injecting malware that was used in the Ukrainian power grid attacks and in the Stuxnet attacks on Iranian nuclear facilities – as well as the encryption of malicious DLLs to avoid detection. Furthermore, the attackers are running their command-and-control operations on legitimate, free web hosting sites that typically don't require registration information, helping the culprits remain anonymous.
The malware's ability to record audio is also telling, the CryptX blog post explains, because it requires a large team of human analysts to parse through the content either manually or using big-data analytics. Moreover, it indicates that the attackers have "a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured" from the campaign's various targets. The malware can also grab screenshots, swipe passwords, and steal files on local, shared and USB drives.
Operation BugDrop infects its victims via spear phishing emails featuring Microsoft Office attachments that contain malicious macros. As a social engineering ruse, the attackers even crafted a fake dialogue box, written in Russian, instructing users to enable these macros, supposedly in order to correctly display the document's contents.
CryptX has not seen any of the actual phishing emails, but it did analyze a decoy document, which containsa list of military personnel that includes addresses and birth dates. The list is written in Ukrainian, but the original language of the document was Russian.
The infection process takes place over multiple stages. First, a main downloader is extracted from the decoy document via a malicious VB script. Next, a dropper executes two DLLs – one to establish persistence, and the other to install the main module. The primary payload then downloads and executes various data-stealing plug-ins. It also checks for debuggers, virtualized environments and other anti-malware products and techniques.