Palo Alto's Threat Intelligence Team, Unit 42 published Tuesday a report that detailed a cyber campaign in which malicious actors used popular cloud storage services, Google Drive and Dropbox, to deliver malware to Western diplomat missions.
The report highlights instances in which the threat actor attacked embassies with spear phishing attacks. Cloaked Ursa, also known as APT29 or Nobelium and Cozy Bear, was behind the notorious SolarWinds hack.
Google and Dropbox both took steps to stop phishing attacks.
Hackers Launch Malware in Google Drive and Dropbox
Unit 42 provided insight into their findings from the two campaigns in May and June. Researchers discovered that Google Drive, Dropbox and other cloud storage services played an important role in the attacks on phishing. They were used to deliver and host malware.
These cloud services were used by hackers to hide the malware and allow them to steal data such as machine names, running processes and network IP information.
It isn't the first time APT29 was found to be targeting diplomatic missions. Mandiant observed that the threat actor sent phishing messages to embassies using compromised email addresses in April.
Information about APT29's newest campaigns
Unit 42 says that APT29 began with a fake email to an embassie. It appears that the email contained links for an upcoming meeting between an ambassador and the sender. The links are hosted on cloud storage sites and clicked will trigger an intricate malware deployment process.
The malware dropper “EnvyScout” is used in both campaigns. It's hosted on a legal domain.
Unit 42 clarified that EnvyScout is an “auxiliary tool” used to infect targets with actor's implants. It is used to obscure the malicious ISO file's contents.
There are two main distinctions between these campaigns: their targets and the cloud storage platform that was used to spread malware. While the first was directed to the Portuguese Embassy, the second was for the Brazilian Embassy. The hackers used Dropbox for their cloud storage, while the second campaign used Google Drive.
Phishing Attacks are “Challenging To Detect”
APT29's usage of cloud storage makes it harder to spot, according to the Unit 42 team.
Unit 42 said that Cloaked Ursa had been improving their ability to distribute malware via popular online storage platforms since May. Their two latest campaigns show their sophisticated and ability to conceal the deployment of malware using DropBox and Google Drive. This tactic is new for the actor, and it's difficult to spot due to their ubiquitous nature and trustworthiness by millions of users around the world.
This article will help you improve your security by sharing the most useful cybersecurity tools.