Russian Hackers Use DropBox And Google Drive To Drop Malicious Payloads — The Hacker News

The Russian state-sponsored hacking collective known as APT29 has been traced to a new phishing campaign that leverages legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads to compromised systems.

“These campaigns targeted multiple Western diplomatic missions between May and June 2022,” Palo Alto Networks Unit 42 said in a Tuesday report. “The decoys included in these campaigns must target a foreign embassy in Portugal as well as a foreign embassy in Brazil. »

APT29, also tracked as Cozy Bear, Cloaked Ursa or The Dukes, has been characterized as an organized cyber espionage group working to collect intelligence that aligns with Russia’s strategic objectives.


Aspects of Advanced Persistent Threat activities, including the infamous 2020 SolarWinds supply chain attack, are tracked separately by Microsoft as Nobelium, with Mandiant calling it a scalable, disciplined, and highly skilled threat actor. qualified who operates with an increased level of operational safety. »


The most recent intrusions are a continuation of the same covert operation previously described by Mandiant and Grappe25 in May 2022, in which spear phishing emails led to the deployment of Cobalt Strike Beacons via an HTML attachment called EnvyScout ( aka ROOTSAW) attached directly to missives.

What has changed in newer iterations is the use of cloud services like Dropbox and Google Drive to conceal their actions and fetch additional malware from target environments. A second version of the attack that occurred at the end of May 2022 would be further adapted to host the HTML dropper in Dropbox.

Useful payloads

“Campaigns and payloads analyzed over time showed a strong focus on operating below radar and reducing detection rate,” Cluster25 noted at the time. “In this respect, even the use of legitimate services such as Trello and Dropbox suggests the adversary’s willingness to operate in victimized environments for a long time undetected. »

EnvyScout, on the other hand, serves as an auxiliary tool to further infect the target with the actor’s implant of choice, in this case a .NET-based executable that is concealed in multiple layers of obfuscation and used to exfiltrate system information as well as run next stage binaries such as Cobalt Strike fetched from Google Drive.


“The use of DropBox and Google Drive services […] is a new tactic for this actor and one that is proving difficult to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said.

The findings also coincide with a new statement by the Council of the European Union, denouncing the surge in malicious cyber activities perpetrated by Russian threat actors and “condemning[ing] this unacceptable behavior in cyberspace.

“This increase in malicious cyber activity, in the context of the war against Ukraine, creates unacceptable risks of ripple effects, misinterpretation and possible escalation,” the council said. said in a press release.

Leave a Comment