At first it may not sound like a big deal to organizations in the U.S. or Western Europe, but in fact the new cyber-reconnaissance malware discovered by CyberX may be a much bigger threat than it first appears.
This new malware, which researchers at CyberX call Operation BugDrop is designed to sit quietly on computers throughout an organization and record everything heard by the microphone built into or attached to a computer.
Every day the BugDrop malware sends the sound files to a Dropbox file, where it’s uploaded to the hackers for further analysis. Once the BugDrop malware infects an organization, it effectively turns every computer into a bug that in some ways is far more effective than if intelligence operatives had actually planted bugs in the same offices.
The reason it’s so effective is that the computer itself is the bug. Attempts to sweep an office for bugs would fail because the bug is the computer not hidden elsewhere in office.
The software also takes other steps to avoid detection. Because it exfiltrates audio recording data it avoids detection by looking like legitimate traffic. The software encrypts the DLLs it installs as a way to avoid detection by antivirus software.
It’s installed using a phishing attack followed by what appear to be legitimate Microsoft Office messages that are designed to make sure that the computer user enables macros that facilitate malware installation.
Next the malware installs a main downloader that’s obfuscated to avoid detection by AV software. Then it installs a key into the computer’s registry. The registry key makes sure that the software will run when the computer is restarted. The malware itself is installed using DLL injection, a technique that loads the malware as part of the process of loading legitimate software, which again hides it from anti-malware software.
BugDrop also avoids detection by using the public cloud service Dropbox to receive the surveillance data. This works because many organizations consider Dropbox traffic to be normal activity and they don’t block it.
While the BugDrop malware is primarily intended to capture audio conversations, it can also search for and steal a wide variety of document types as well as steal passwords and other information from browsers. The specific activities of each malware infection can be tailored to match the targeted individual, which is known because the phishing emails that brought the malware into the computer were also specifically targeted.
When it loads the malware first checks for the existence of software that would expose it, such as some types of anti-malware software, and for activity monitors such as WireShark. The exfiltrated data is encrypted before it’s sent to Dropbox.
Nir Giller, co-founder and CTO of CyberX said that Operation BugDrop is extracting 2.5 to 3 gigabytes from each infected computer per day. Right now, he said that it appears that the Russian hackers are working against Ukraine under specific direction, but he said that it’s not clear exactly who is ultimately behind the attack. Giller noted, however, that all indications are that the malware was created in Russia, however.
“It’s highly targeted,” Giller said, explaining that it’s aimed at critical infrastructure and the media.
Giller said that an operation such as BugDrop usually starts with a period of surveillance which may last up to six months. This is how the hackers determine who they want to attack and exactly how to go about the attack so that it’s most effective. “They have a specific goal,” he added.
Giller explained that the Russians monitored the Ukrainian power grid for six months before they brought it down in December 2015. One reason he thinks it’s the Russian government is because of the resources required to process the massive amount of data that’s being taken from the Ukraine. He also said that the level of sophistication required to create this malware shows ability to access vast resources.
While it appears the primary target of Operation BugDrop is Ukraine, there’s already some activity in Saudi Arabia and other places. Giller explained that this malware and reconnaissance malware can be used to attack anywhere, including in the U.S.
He said that the best way to determine whether a network has been compromised is to monitor the outgoing traffic for signs of exfiltration. In this case, it’s many gigabytes of data going to Dropbox daily.
While the target for the exfiltration could change to some other public cloud service, it still has to take place for the malware to do its job. He stressed that network monitoring is critical for spotting it. Once spotted Giller said that there are measures that an organization can take to get rid it, including locating the registry key and running an anti-malware package that can find it.
But it’s important to note that just because the attack is currently going on against the Ukraine, that’s no reason to think that it can’t happen here. Giller explained that the only thing needed is the motivation.
As soon as whoever is behind the attacks decides to start another attack, it could just as easily be the United States or a European Union country. Considering how poorly protected some critical infrastructure is in the U.S. and elsewhere, such an attack would surely succeed.