Operation BugDrop attackers use Dropbox to store stolen data

jayar.decenella@gmail.com' By: Jay Decenella
2 minute read

Attackers are spreading a cyber espionage campaign in Ukraine by spying on PC microphones in order to secretly listen to private conversations and store stolen data on Dropbox. Dubbed Operation BugDrop, the attack has targeted critical infrastructure, media, and scientific researchers.

Cybersecurity firm CyberX confirmed the attacks, saying Operation BugDrop has hit at least 70 victims across Ukraine. According to CyberX, the cyber espionage operation started no later than June 2016 up to present. The company said:

The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

Targets and methods

Some examples of Operation BugDrop’s targets include:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.
  • A scientific research institute.
  • Editors of Ukrainian newspapers.

More specifically, the attack targeted victims in Ukraine’s separatist states of Donetsk and Luhansk. In addition to Dropbox, the attackers are also using the following advanced tactics:

  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
  • Legitimate free web hosting sites for its command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.

According to CyberX, Operation BugDrop heavily mimics Operation Groundbait which was discovered in May 2016 targeting pro-Russian individuals.

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Discussions

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading