A well-organized cyber-espionage group is infecting computers at selected targets in Ukraine, turning on their microphone to record nearby audio, stealing documents, and storing exfiltrated data inside Dropbox accounts, according to security firm CyberX, who recently came across the malware used in these attacks, according to Bleeping Computer, a computer help site, which also publishes news and reviews for PC users.
Researchers identified over 70 organizations targeted in these attacks, with most located in Ukraine, and especially in the self-declared separatist states of Donetsk and Luhansk, near the Russian border, Bleeping Computer wrote.
The target list includes editors of Ukrainian newspapers, a scientific research institute; a company that designs remote monitoring systems for oil and gas pipeline infrastructures; an international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in Ukraine; and an engineering company that designs electrical substations, gas distribution pipelines, and water supply plants; among many others.
According to CyberX security experts, attacks are mostly driven by spear-phishing emails that spread Word documents that contain malicious macros.
Attacks lure victims into allowing the macros in these documents to execute by telling them the document was created in a newer version of Word, and enabling macros allows them to view their content.
Enabling macros downloads several malware families in multiple stages. According to researchers, there`s a main malware downloader, a stage 0 malware dropper, a stage 1 dropper for gaining advanced persistency on infected hosts, a stage 2 dropper for downloading the main malware module, the main malware module itself, a module for interacting with Dropbox, one for encrypting files, and several plugins specialized in stealing certain types of files.
The entire purpose of this malware is to gather intelligence from infected targets, and nothing more.
The downloaded malware doesn`t include destructive features and uses several mechanisms to remain hidden, an important clue pointing to the fact its authors are using it for reconnaissance only.
Using Dropbox instead of a custom web server for collecting data is yet another sign that hackers are trying to stay hidden as long as possible. This is because it would be much easier to detect malicious traffic sent to a remote web server compared to Dropbox, an application whitelisted by firewalls and other security products.
CyberX researchers named this particular campaign BugDrop because crooks used the PC`s microphone`s to bug victims, and Dropbox to exfiltrate data.
After they analyzed the malware deployed in this campaign, CyberX security experts claim the malware and techniques used in the BugDrop operation are similar to Groundbait, another cyber-espionage campaign discovered in May 2016 by ESET researchers.
Experts said BugDrop malware was compiled one month after ESET`s Groundbait report.
”If the two operations are indeed related, this might indicate the group decided it needed to change its TTPs to avoid detection,” the CyberX team cleverly noted.
Furthermore, CyberX suggests that whoever is behind these attacks on Ukrainian targets has ”field experience” and access to considerable financial resources.
”[T]he operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets,” experts said. ”A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”
”While we are comfortable assigning nation-state level capabilities to this operation, we have no forensic evidence that links BugDrop to a specific nation-state or group,” experts continued. ” `Attribution` is notoriously difficult, with the added difficulty that skilled hackers can easily fake clues or evidence to throw people off their tail.”