Operation BugDrop Targets Ukrainian Businesses
- Fariha Khan
- February 23, 2017
- 427
According to a recent report, a highly sophisticated malware that enables hackers to get their hands on sensitive information and snoop on victims' networks is targeting businesses in Ukraine. This new operation has already managed to tap more than 600 gigabytes of data from as many as 70 victims, all of them businesses from different work areas such as news media and scientific research as well as critical infrastructure. "Operation BugDrop" is the title given to this malware operation targeting victims in the Ukraine, Saudi Arabia, Russia as well as Austria. For now, the perpetrators are not known. However, according to the details of the operation found till now, it is expected to be government-backed with a number of resources.
The blog post which tells about the details of the operation states:
Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.
The malware was meant particularly to intrude the victim's computer, get screenshots, collect documents and passwords, turn on the PC's microphone to get audio recordings of chats occurring around the infected device.
Read Also: Malware is becoming more powerful
As many other malware, it gets to its victims through malicious MS Word documents sent in phishing emails. These docs have malicious macros embedded that are generally turned off unless the user specifically tells the PC proceed and run the macros. After the malware is positioned, the PC sends all the data to Dropbox, from where hackers save it. This is a chiefly well-organized plan as most organizations don't keep an eye on Dropbox data flux.
The uncovering rates for this malware are very low because of a number of reasons. The malware makes the audio data look like it's authentic outgoing traffic. In addition, BugDrop encrypts all DLLs installed as well to avoid detection. Besides, it make use of public cloud service Dropbox for its actions.
BugDrop uses Reflective DLL Injection, which is something interesting. It is a technique that was used against Ukraine earlier as well. For example, the BlackEnergy malware used to attack the country's power grid made use of the same method, and the malware used in the Stuxnet attacks against Iranian nuclear facilities used it as well.
We have no evidence that any damage or harm has occurred from this operation, however identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives.