Late last year, the country also suffered a power outage caused by the same group of hackers that targeted Ukraine’s power grid with the BlackEnergy malware in late 2015, causing 225,000 residents to lose electricity.
Now security researchers from threat intelligence firm CyberX have uncovered an advanced malware-based operation that has already siphoned over 600 gigabytes of data from about 70 victim organizations, including critical infrastructure, news media, and scientific research.
Operation BugDrop: Damages and Modus Operandi
Dubbed “Operation BugDrop,” the large-scale malware campaign has been perpetrated against targets in the Ukraine, though targets from other countries include Russia, Saudi Arabia, and Austria.
“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” reads the CyberX blog post published Wednesday.
“In particular, the operation requires a massive back-end infrastructure to store, decrypt, and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”
Here’s What the Malware Does:
Operation BugDrop uses sophisticated malware that has been designed to infiltrate the victim’s computer and capture screen shots, documents, and passwords, and turn on the PC’s microphone to capture audio recordings of all conversations.
Since the malware uses PC microphones to bug targets and then send the audio and other data files to Dropbox, the researchers have dubbed the malware campaign Operation BugDrop.
For example, it uses:
- Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.
- Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
- Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
- Using legitimate free web hosting sites for command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.
Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments.
It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled.
Here’s How BugDrop Work:
The hackers spread the malware through phishing emails containing Microsoft Office file attachments that include malicious macros embedded in it.
Once the targets open the malware-laden Word document, the hidden, malicious Visual Basic scripts start running in a temporary folder in the background.
The main module of BugDrop downloads the various data-stealing plugins to infected machines and executes them. All the stolen data the malware collects is then uploaded to Dropbox.
Although BugDrop has mainly been designed to record audio files, the malware can also steal the documents, password and other sensitive data from the computer’s browsers.
Techniques BugDrop Use to Avoid Detection:
The main malware downloader has low detection rates as:
- The malware makes the audio data look like legitimate outgoing traffic.
- BugDrop encrypts the DLLs that are installed to avoid detection by traditional anti-virus and sandboxing systems.
- The malware uses public cloud service Dropbox.
BugDrop also uses Reflective DLL (Dynamic Link Library) Injection, a malware injection technique that had also been leveraged by the BlackEnergy malware used in the Ukrainian power grid attacks and the Duqu malware in the Stuxnet attacks on Iranian nuclear facilities.
Reflective DLL Injection is used to load malicious code and effectively sidestep security verification procedures without calling the standard Windows API.
Targets of BugDrop:
The malware has targeted a wide range of industries including critical infrastructures, research centers in Ukraine and media organizations.
According to CyberX, BugDrop’s primary target has been Ukraine, but it has also been traced to other parts of Russia, Saudi Arabia, and Austria.
Operation BugDrop targets identified by the CyberX researchers so far include:
- A firm that designs remote monitoring systems for oil and gas pipeline infrastructures.
- An engineering firm that designs electrical substations, water supply plants and gas distribution pipelines.
- An international organization that monitors counter-terrorism, human rights, and cyber attacks on critical infrastructure in the Ukraine.
- A scientific research institute.
- Editors of Ukrainian newspapers.
While concluding the report, CyberX said both private and public sector organizations need to be more vigilant in monitoring their networks and applying more modern technologies like behavioral analytics to identify and quickly respond to these increasingly sophisticated cyber attacks.