Computer security researchers uncovered a large-scale attack campaign dubbed as Operation BugDrop which has extracted more than 600 Gigabytes of sensitive data.
Operation BugDrop Discovered
Operation BugDrop has been uncovered, a new and very large attack-campaign which was able to compromise more than 600 Gigabytes of sensitive data from a variety of different industries. According to the security researchers who uncovered it the targets include critical infrastructure facilities, news media and even research organizations. The hackers behind the attack used malware infections to record conversations, screenshots from the infected hosts and stole sensitive files from the computer networks. The compromised data was uploaded to Dropbox profiles that are controlled by the hackers.
According to the experts the campaign used a very large back-end infrastructure which is well maintained and organized in a way to safely store, decrypt and analyze the extracted unstructured data from the performed captures. To manually sort through the archives the malware operators have probably employed human analysts in their team. Some of the targets have included the following:
- A well-known company that sells remote monitoring systems for oil and gas pipelines and the industry.
- An international organizations that monitors counter-terrorism activities, human rights and computer attacks done on the Ukrainian critical infrastructure.
- A research institute.
- A company that designs gas distribution pipelines, water supply plants and electrical substations.
The majority of the compromised institutions and businesses are located in Ukraine, a country that has faced numerous other large-scale attack campaigns. Other victim countries are Saudi Arabia and Austria, the total size of harvested information is accounted to be at least 600 Gigabytes of unstructured data. There is no clear connection between Operation BugDrop and previous attacks. There are a lot of similarities, including the geographic region and target industries.
The primary infection method relied on e-mail spam messages that included file attachments. The hackers used legitimate-looking documents of interest such as invoices, letters and other types of important correspondence. When the victims open up the documents, they are presented with a prompt or notification window that urges them to activate the embedded macros. The infection begins when the user executes this step which leads to the extraction of the dangerous malware. This campaign has been noted to include some dangerous features which include the following:
- The Dropbox file storage service is used to host the extracted files. In many cases the cloud solution is used by both individual users and in corporate environment, so its access is not monitored or blacklisted by the relevant IT security team. This fact has been used by the malware creators to hide their virus better as only an in-depth network analysis can reveal any suspicious activity.
- The malware uses the Reflective DLL Injection technique which loads dangerous code without utilizing the normal Windows API.
- The criminals use encrypted DLL files to avoid detection by most anti-virus solutions and sandbox environments.
- Legitimate free web hosting services are used to contain the command and control servers. They are usually registered with counterfeit personal information which makes it hard for the experts to learn about the attackers.
As always we recommend that everyone use a quality anti-spyware solution to protect themselves from any possible intrusions. Such products can also remove active infections easily only with a few mouse clicks.