Security company CiberX has just announced the results of an investigation that points to one of the biggest and most sophisticated hacks of the last year. The operation called BugDrop attacked about 70 targets, from industries, infrastructure companies, scientific researchers, and even journalists and media, most of them based in Ukraine.
It is believed that BugDrop was able to obtain more than 600 GB of data including audio recordings, screenshots, documents and passwords. All of this was done by malicious Microsoft Word files, which after stealing the information was uploaded to Dropbox, later to be recovered by the attackers.
Microphones, Word and Dropbox
According to CiberX, BugDrop was not a single person task, it is a well organized operation that relies on sophisticated malware and needs resources to achieve its goal, so it is believed that someone with a lot of power and a large infrastructure is behind from all of this.
Whites were first infected through a Microsoft Word document that was mailed, a file that when opened opened what looked like an official Office notification: “Caution: The file was created in a newer version of Microsoft programs You must enable macros to correctly display the contents of a document”, when the user activated macros the attacker took control of the computer.
Once the machine was infected, it automatically enabled the microphone to record all the conversations that happened around it, and later all these audio clips were uploaded to Dropbox. In addition to this, the machine was programmed to make screenshots at certain periods of time, and when the user saved a copy of a file, it was also stored in the Dropbox folder.
The operation had a large back-end infrastructure to store, decrypt and analyze hundreds of data daily, where there was a significant participation of people who were responsible for manually ordering the captured data and processed for further analysis.
You may also like to read another article on TheKindle3Books: The biggest fraud to date, fake pages and a botnet to steal $ 180 million
It is believed that the operation has been active since June 2016, stealing information mainly from Ukraine, but computer attacks have also been detected in Russia, Saudi Arabia and Austria. The novelty of this type of operation is that they have used free platforms and are hardly blocked in companies, such as the case of Dropbox that has become a widely used tool around the world that is not blocked or monitored by firewalls Corporations.
Other elements used in this operation were DLLs that installed the malware, which in turn installed encrypted DLLs, this in order to go unnoticed before the antivirus or analysis of other programs. But the most interesting part and that has not allowed to meet with those responsible, has been the use of free hosting, which is where they have installed control and command programs.
CiberX does not know the origin of this attack and the fate of stolen information, they only mention that it is a sophisticated implementation of large-scale malware, where a lot of people are needed for their daily analysis. Because of the above, they have come to the conclusion that this is someone with extensive experience in the sector and who knows well how to work anonymously and erase any type of trace.