Russian hackers use DropBox and Google Drive to evade detection

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


Russia-linked state-sponsored hacker group is using legitimate cloud services like Google Drive and Dropbox in order to deliver malicious payloads on compromised systems unnoticed.

Researchers at Palo Alto Networks’ Unit 42 said they discovered a phishing campaign orchestrated by APT29 (aka Cloaked Ursa, Nobelium or Cozy Bear) thought to be affiliated with the Russian government that targeted several Western diplomatic missions between May and June 2022.

The attacks involved phishing emails addressed to embassies in Portugal and Brazil containing a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.

In this new campaign the threat actor has been observed taking advantage of the Google Drive and Dropbox cloud services to hide their activities and deliver additional malware payloads into the victim’s environment.

As the researchers explained, EnvyScout is an auxiliary tool that is used to further infect the target with malware, which, in this case, is a .NET-based obfuscated executable used to exfiltrate system information as well as execute next-stage payload such as Cobalt Strike fetched from Google Drive.

“Since early May, Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage services. Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” Unit 42 wrote.

More technical details as well as Indicators of Compromise (IoCs) related to this campaign can be found here.

Adblock test (Why?)