Security News > 2022 > July > Russian Hackers Using DropBox and Google Drive to Drop Malicious Payloads

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

What's changed in the newer iterations is the use of cloud services like Dropbox and Google Drive to conceal their actions and retrieve additional malware into target environments.

A second version of the attack observed in late May 2022 is said to have adapted further to host the HTML dropper in Dropbox.

EnvyScout, for its part, serves as an auxiliary tool to further infect the target with the actor's implant of choice, in this case, a.NET-based executable that's concealed in multiple layers of obfuscation and used to exfiltrate system information as well as execute next-stage binaries such as Cobalt Strike fetched from Google Drive.

"The use of DropBox and Google Drive services is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide," the researchers said.

The findings also coincide with a new declaration from the Council of the European Union, calling out the spike in malicious cyber activities perpetrated by Russian threat actors and "Condemn[ing] this unacceptable behavior in cyberspace."

News URL

https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html