Russian Hackers Using DropBox and Google Drive to Drop Malicious Payloads — The Hacker News


The Russian state-sponsored hacking collective known as APT29 has been blamed for a new phishing campaign that uses legitimate cloud services such as Google Drive and Dropbox to deliver malicious payloads to compromised systems.

“These campaigns would have targeted several Western diplomatic missions between May and June 2022,” Palo Alto Networks Unit 42 said. said in a Tuesday report. “The lure in these campaigns suggests it is targeting a foreign embassy in Portugal and a foreign embassy in Brazil.”

APT29, also followed by the names Cozy Bear, Cloaked Ursa or The Dukes, is characterized as an organized cyber-espionage group working to gather intelligence that aligns with Russia’s strategic objectives.

Some aspects of the advanced persistent threat’s operations, including the infamous 2020 SolarWinds supply chain attack, are being tracked separately by Microsoft under the name Nobelium, with Mandiant calling it an evolving, disciplined, and highly skilled threat actor operating with an increased level of operational security.”

The most recent break-ins are a continuation of the same covert operation previously described by Mandiant and Cluster25 in May 2022, in which the spear-phishing emails led to the deployment of Cobalt Strike Beacons through an HTML dropper attachment called EnvyScout (aka ROOTSAW) attached directly to the letters.

What has changed in the newer iterations is the use of cloud services like Dropbox and Google Drive to hide their actions and pick up additional malware in target environments. A second version of the attack spotted in late May 2022 is said to have been further modified to host the HTML dropper in Dropbox.

“The campaigns and payloads analyzed over time show a strong focus on operating under the radar and reducing detection rates,” Cluster25 noted at the time. “In this regard, even using legitimate services like Trello and Dropbox suggests that the adversary’s will to go undetected within victim environments for long periods of time.”

EnvyScout, for its part, serves as an auxiliary tool to further infect the target with the actor’s implant of choice, in this case a .NET-based executable hidden in multiple layers of obfuscation and used to exfiltrate system information. and execute next stage binaries, such as Cobalt Strike, retrieved from Google Drive.

“Using DropBox and Google Drive services […] is a new tactic for this actor and one that is proving challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers around the world,” the researchers said.

The findings also coincide with a new statement from the Council of the European Union, which points to the spike in malicious cyber activities of Russian threat actors and “condemns[ing] this unacceptable behavior in cyberspace.”

“This proliferation of malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillovers, misinterpretations and potential escalation,” the Council said. said in a press statement.