Ukraine has once again begin targeted by the hackers.
Ukraine has been the target of hackers and now the attackers had infected a number of computer systems of Ukrainian business with a malicious malware dubbed as BugDrop and written very sophisticated allowing hackers to take out sensitive data from their network.
CyberX a security firm, have uncovered an advanced malware that has already ex-filtrate 600GB of data from about 70 organizations including media, infrastructures and scientific research organizations.
Last year in late 2015, the country also suffered from the outrage of power caused by a group of hackers that targeted power grid with BlackEnergy malware and causing 225,000 residents in halt without power.
Modus Operandi Behind the attack:
Operation BugDrop, a malware campaign had affected and targeted many countries like Ukraine, Russia, Saudi Arabia and Austria.
CyberX researchers believed that BugDrop is the work of High skilled hackers, governed-backed nation-state hackers with nearly limitless resources.
Statement — “Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” reads the CyberX blog post published Wednesday.
Statement — “In particular, the operation requires a massive back-end infrastructure to store, decrypt, and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”
Hackers spread this kind of malware through phishing emails containing a malicious file or document like PDF, Microsoft office attachments include a malicious executable source code embedded in it.
Once the victim opens the malware document, the hidden, malicious code start running in the background and without acknowledging the victim.
Then, the main malicious code will start downloading other codes like data-stealing plugins to infected machines and executes them. All the collected data from the victim’s infected machine is then uploaded to Dropbox(Cloud Storage Platform).
BugDrop main functions are to record audio files, form but the malware has potential to steal documents, passwords and other sensitive from the computer browsers.
What The Malware Does?
Operation BugDrop uses an advance malicious code that has been developed to take out sensitive data from the victim’s computer.
It can take screenshot, documents, passwords, and can also record audio of your ongoing conversations by switching on your PC’s microphone.
Hacking group infected the victim PC using malicious Microsoft Word Document sent in phishing emails. Once victim’s computer is infected, the malware starts to upload sensitive data to Drop Box (Cloud Storage Platform).
Why it is called as BugDrop?
The malware uses PC microphone to record all audio and then send the audio and other sensitive data to Drop Box, So the researchers have dubbed the malware campaign Operation BugDrop.
Target Of BugsDrop.
The malware has targeted many known infrastructure including research centers in Ukraine and media organizations.
According to CyberX, Ukraine is the primary target of BugDrop, but it has also attacked other parts of Russia, Saudi Arabia, and Austria.
How BugDrop Avoided Detection?
- The malware uses public cloud platform Dropbox.
- The malware makes the audio files look likes legitimate outgoing traffic.
- BugDrop encrypts the DLLs to avoid detection by traditional anti-virus and sand boxing systems.
- It also uses Reflective DLL (Dynamic Link Library) Injection, a malware injection technique. BlackEnergy malware also used the same technique and Duqu malware in the Stuxnext attacks on Iranian nuclear facilities also used the same technique.
- Using legitimate free web hosting sites for command-and-control infrastructure.
What is Reflective DLL (Dynamic Link Library) Injection?
A technique to load all malicious code and bypass the security verification procedure or standard without calling the the standard Windows API. It perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader
Operation BugDrop: Targets
- Remote Monitoring Systems firms for oil and gas pipeline infrastructure.
- Engineering firms that deals with designing of electrical substations, water supply plants and gas distribution pipeline.
- An international organization that monitors counter-terrorism, human rights, and cyber attacks on critical infrastructure in the Ukraine
- Research institute and editors of Ukrainian newspapers.
Measures to be taken?
Private and Public infrastructures needs to be more vigilant by:
- Always monitor your service and network.
- By using advance behavioral analytics software.
- Using IDS (Intrusion Detection Systems).
- And, Quick responsive team for acting on this kinds of cyber attacks.