Attackers are spreading a cyber espionage campaign in Ukraine by spying on PC microphones in order to secretly listen to private conversations and store stolen data on Dropbox. Dubbed Operation BugDrop, the attack has targeted critical infrastructure, media, and scientific researchers.

Cybersecurity firm CyberX confirmed the attacks, saying Operation BugDrop has hit at least 70 victims across Ukraine. According to CyberX, the cyber espionage operation started no later than June 2016 up to present. The company said:

Targets and methods

Some examples of Operation BugDrop’s targets include:

The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

More specifically, the attack targeted victims in Ukraine’s separatist states of Donetsk and Luhansk. In addition to Dropbox, the attackers are also using the following advanced tactics:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.
  • A scientific research institute.
  • Editors of Ukrainian newspapers.

According to CyberX, Operation BugDrop heavily mimics Operation Groundbait which was discovered in May 2016 targeting pro-Russian individuals.

  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
  • Legitimate free web hosting sites for its command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.

If the advices above haven’t solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

Still having issues? Fix them with this tool:

SPONSORED

  • dropboxOperation BugDrop

Email *

Commenting as . Not you?

Comment