Eavesdropping Malware Discovered Gathering Audio Data in Ukraine

NEWS ANALYSIS: "Operation BugDrop" malware stealthily infects computers and turns on the onboard microphone to gather audio files, which it exports to Dropbox files for retrieval and analysis.


At first it may not sound like a big deal to organizations in the U.S. or Western Europe, but in fact the new cyber-reconnaissance malware discovered by CyberX may be a much bigger threat than it first appears.

This new malware, which researchers at CyberX call Operation BugDrop is designed to sit quietly on computers throughout an organization and record everything heard by the microphone built into or attached to a computer.

Every day the BugDrop malware sends the sound files to a Dropbox file, where it’s uploaded to the hackers for further analysis. Once the BugDrop malware infects an organization, it effectively turns every computer into a bug that in some ways is far more effective than if intelligence operatives had actually planted bugs in the same offices.

The reason it’s so effective is that the computer itself is the bug. Attempts to sweep an office for bugs would fail because the bug is the computer not hidden elsewhere in office.

The software also takes other steps to avoid detection. Because it exfiltrates audio recording data it avoids detection by looking like legitimate traffic. The software encrypts the DLLs it installs as a way to avoid detection by antivirus software.

It’s installed using a phishing attack followed by what appear to be legitimate Microsoft Office messages that are designed to make sure that the computer user enables macros that facilitate malware installation.

Next the malware installs a main downloader that’s obfuscated to avoid detection by AV software. Then it installs a key into the computer’s registry. The registry key makes sure that the software will run when the computer is restarted. The malware itself is installed using DLL injection, a technique that loads the malware as part of the process of loading legitimate software, which again hides it from anti-malware software.

BugDrop also avoids detection by using the public cloud service Dropbox to receive the surveillance data. This works because many organizations consider Dropbox traffic to be normal activity and they don’t block it.

While the BugDrop malware is primarily intended to capture audio conversations, it can also search for and steal a wide variety of document types as well as steal passwords and other information from browsers. The specific activities of each malware infection can be tailored to match the targeted individual, which is known because the phishing emails that brought the malware into the computer were also specifically targeted.

When it loads the malware first checks for the existence of software that would expose it, such as some types of anti-malware software, and for activity monitors such as WireShark. The exfiltrated data is encrypted before it’s sent to Dropbox.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...