Security News > 2022 > July > Russian Hackers Using DropBox and Google Drive to Drop Malicious Payloads
The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.
What's changed in the newer iterations is the use of cloud services like Dropbox and Google Drive to conceal their actions and retrieve additional malware into target environments.
A second version of the attack observed in late May 2022 is said to have adapted further to host the HTML dropper in Dropbox.
EnvyScout, for its part, serves as an auxiliary tool to further infect the target with the actor's implant of choice, in this case, a.NET-based executable that's concealed in multiple layers of obfuscation and used to exfiltrate system information as well as execute next-stage binaries such as Cobalt Strike fetched from Google Drive.
"The use of DropBox and Google Drive services is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide," the researchers said.
The findings also coincide with a new declaration from the Council of the European Union, calling out the spike in malicious cyber activities perpetrated by Russian threat actors and "Condemn[ing] this unacceptable behavior in cyberspace."
News URL
https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html
Related news
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian Turla hackers hit Starlink-connected devices in Ukraine (source)