As network connectivity has grown over the years, so too has the skill of people in manipulating devices. With each successive innovation and increasingly sophisticated software, we are also faced with the growing threat of better and better viruses, malwares and trojans that can steal data your data and perpetually disrupt your network. This danger is even more prevalent for end-users with no knowledge of code. Due to the lax nature of DNS security design, extraneous DNS firewall and security softwares are imperative. Yet, many remain unaware, and, thus, remain vulnerable to these attacks. Operation BugDrop remains but one, in a long series of such attacks.
What is Operation BugDrop?
Operation BugDrop is malware that can infect laptops and desktops and steal data by surreptitiously recording audio conversations that users we having via their PC microphone. It would then export this audio data into a file which would be uploaded to a DropBox to be later analysed by the designers of this code. The malware first came to light when CyberX, a cyber security firm reported on its presence. According to researchers, the bug has affected over 70 targets across multiple industries like news, media and scientific research, and has stolen millions of gigabytes’ worth of data.
How does it work?
The malware was spread via largescale phishing attacks. Files masquerading as legitimate MS Word documents were sent to users who downloaded them. The files then asked users to enable macros in order to view all of the data present. In order to alleviate suspicion, they even included a seemingly official MS Office logo which informed users that enabling macros was suggested.
Once the button was clicked, a malicious VB script that started in the background extracts the downloader from the document. The main malware is then downloaded and the DLLs are loaded. To further obfuscate their plan, the hackers employed a method called reflective injection DLL to carry out their work. This is a particularly sophisticated method that bypasses Windows API calls. This makes detecting the malicious DLLs that much harder.
Another stroke of genius on the hackers’ part was using DropBox services to collect information instead of FTPs. Most organizations rarely put restrictions on DropBox and often don’t monitor connections. This translated to a seamless transfer of data.
Unfortunately, malwares like BugDrop are too sophisticated to be detected by standard softwares. Encrypted code and DLL injection means the system cannot recognize it as malicious. Continuous and robust monitoring of your networks is the only recourse. Your network can be configured to check the amount data being uploaded daily, and flag unreasonably high numbers. Thus, large volumes of data contained in audio files would send an alert. A far simpler, and more effective measure, of course, is to be vigilant of files you open.
Of the identified 70 victims, the majority was in Ukraine, while a small number were affected from Russia, Austria and Saudi Arabia. The attack was primarily targeted at industries. The massive amount of work that would go into analyzing and deciphering the raw data gathered daily points require massive back-end infrastructure, sophisticated servers and large teams of analysts to comb through the data. All this led CyberX researches to conclude thatthe attack was almost certainly the work of government agencies with superb resources. Who, or why, however, we have no way of knowing.