Operation BugDrop Targets Ukrainian Businesses

[tao]

Over 600 GB have already been siphoned from over 70 victims

A highly sophisticated malware which allows hackers to get their hands on sensitive data and eavesdrop on victims' networks is targeting businesses in Ukraine.

 

According to threat intelligence firm CyberX, this new operation has already managed to siphon over 600 gigabytes of data from about 70 victims, all of them businesses from various areas of work, including news media and scientific research, but also critical infrastructure.

 

"Operation BugDrop" is the name that was given to this malware campaign that is mainly targeting victims in the Ukraine, as well as Russia, Austria, and Saudi Arabia. The perpetrators are unknown at this point, but given the details of the operation that have been uncovered so far, they may be government-backed with plenty of resources.

 

"Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics," reads the blog post detailing the operation.

 

What does it do?

The malware was designed specifically to infiltrate the victim's computer, grab screenshots, collect documents and passwords, and more importantly, turn on the PC's microphone to capture audio recordings of all conversations taking place around the infected device.

 

As many other malware, this one gets to its victims via malicious Microsoft Word documents sent in phishing emails. The documents contain malicious macros embedded, which are normally turned off unless the user expressly tells the computer to go ahead and run the macros. Once the malware is deployed, the computer sends all the data to Dropbox, from where hackers retrieve it. This is a particularly well-thought-out plan since most organizations don't monitor Dropbox data flux.

 

The detection rates for this malware are quite low due to several aspects. On the one hand, the malware makes the audio data look like it's legitimate outgoing traffic. Then, BugDrop also encrypts all DLLs that are installed in order to avoid detection. Also, the malware uses public cloud service Dropbox for its activities, which isn't something that's normally monitored by network admins.

 

What's also interesting about BugDrop is that it uses Reflective DLL Injection, which is a technique that was used against Ukraine in the past. For instance, the BlackEnergy malware that was used to attack the country's power grid employed the same technique, and so did the malware used in the Stuxnet attacks against Iranian nuclear facilities.

 

"We have no evidence that any damage or harm has occurred from this operation, however identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives," the security experts write.

 

Credit:  http://news.softpedia.com/news/operation-bugdrop-targets-ukrainian-businesses-turns-mics-into-spying-gear-513142.shtml