Dropbox and Google Drive abused to deliver malware

Dropbox and Google Drive abused to deliver malware

Threat intelligence group Unit42 announced that recent malware attacks are being cloaked via trusted online storage services like Dropbox and Google Drive. According to the report by Palo Alto security researchers, the targets of the attacks in May and June 2022 were probably embassies in Portugal and Brazil. Unit42 identified the group Cloaked Ursa, also known as APT29, as the attacker. American and British secret services assign APT29 to the Russian foreign intelligence service Sluzhba vnezhnei rasvedki (SVR).

In May 2022, the threat intelligence group Cluster25 first reported Cloaked Ursa’s malware activities embedding Dropbox. Unit42 then began its own investigations: Under the guise of the Portuguese and Brazilian embassies, attackers sent spearfishing emails in May and June. Links to an Agenda.pdf with alleged suggested dates for ambassadors’ meetings served as bait. The attackers used the official embassy logos.

Example of Agenda.pdf with links to EnvyScout, which initiates infiltration of the system.

(Image: Unit42 / Palo Alto Networks)

According to Unit42, a click on Agenda.html in the phishing document triggers a chain of actions that end with harvesting user information and delivering malware. The shortcut loads an ISO from the target directory that runs Agenda.exe. The program disguises itself as a process signed by Adobe. The exe loads two DLLs, the second of which executes an executable .Net x64 file in memory. It disguises itself as a Google Drive process and collects user data. After uploading the user information to Google Drive, the process downloads and runs CobaltStrike from there on the target system.

Attack vector via a file hosted on Dropbox in May 2022.

(Image: Unit42 / Palo Alto Networks)

Attack vector via a supposedly trustworthy website in June 2022.

(Image: Unit42 / Palo Alto Networks)

Unit42 suspects a NATO member country for the May attack and an embassy in Brazil for the June attack to be the targets. Using known and widely used storage products is new behavior from the Cloaked Ursa group, and difficult to detect because the two services are so widely used, according to Unit42.

The British and US secret services assign Cloaked Ursa to the Russian foreign intelligence service SVR, to which the SolarWinds hacks are also attributed, among other things; in the past, the activities of Russia’s secret service have already led to US sanctions. As with SolarWinds, in the case of Hafnium and the Colonial pipeline attack, Active Directory was a major vulnerability.

Detailed information on the report, which code the programs execute and the hashes of the phishing files can be found on the Unit42 blog.

More from iX Magazine

More from iX Magazine

(psst)

To home page

Microsoft Teams: Version for Macs with M1 & Co is coming in September Previous post Microsoft Teams: Version for Macs with M1 & Co is coming in September
Developer conference: Benefit now from the early bird discount of the autumn campus Next post Autumn campus: early bird discount for the developer conference will be extended