Operation BugDrop – hackers steal gigabytes of data from organisations, record conversations

Mic check. Test 1-2-3…

David bisson
David Bisson

Operation BugDrop - stealing gigabytes of data, and listening in to at least 70 organizations through their computer microphones

A reconnaissance campaign dubbed “Operation BugDrop” has stolen gigabytes of data from at least 70 organizations in Ukraine and elsewhere.

The threat intelligence research team at CyberX came across the operation after discovering an in-the-wild malware campaign.

So far, the malware has captured documents, passwords, and screenshots from dozens of targets located in Ukraine, Saudi Arabia, and Austria. Those victims include a manufacturer of industrial control system monitoring equipment, a human rights institution, and a scientific research institute.

Sign up to our free newsletter.
Security news, advice, and tips.

Operation BugDrop has also stolen victims’ audio recordings by surreptitiously turning on infected computers’ microphones.

Obviously, covering your webcam does nothing to prevent against this type of attack, although there are platform-specific tools available that issue alerts when a program activates the microphone.

Few threat actors can conduct an ongoing campaign of this magnitude. As CyberX notes in a blog post:

“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”

An BugDrop attack begins when a target receives a specially-crafted email that comes with a Microsoft Word document purporting to contain a list of military personnel’s personal details.

Word doc

The attachment contains malicious macros that, when executed, load a malicious VBS script that runs the malware’s main downloader from the temp folder. This downloader is copied from a Russian social media site; its icon is a meme that makes fun of Ukrainians.

The dropper comes with two DLLs, which are loaded via Reflective DLL Injection in a manner that’s similar to the 2015 BlackEnergy malware attack against a Ukrainian utility company.

The first DLL achieves persistence for the malware, whereas the second downloads the main module. This latter component loads up data-stealing plugins that encrypt all the data they find using Blowfish and then send it to a Dropbox account under the control of the attackers.

Malware architecture

As of this writing, CyberX has found no forensic evidence linking the operation to a particular group.

The security firm is therefore advising organizations to be on the look for anomalous behaviors on their networks. They should also disable Office macros on all workstations by default and should educate their employees about the dangers of phishing attacks.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.