APT29, state-backed hackers from Russia, is now leveraging cloud services, including Google Drive and DropBox, in their attacks to avoid detection. The hackers are abusing users’ trust in popular cloud storage services to make their attacks hard to detect.

The abuse of online storage service

The APT29 group has adopted this new tactic in its recent campaigns that are aimed at Western diplomatic missions and foreign embassies around the world.
  • Two such campaigns have been observed by the researchers between early May and June 2022.
  • The lures used in the campaigns disclosed that the attackers have targeted foreign embassies in Portugal and Brazil. 
  • One campaign used DropBox and two weeks later the second campaign used Google Drive to stay hidden.

The infection process

The group used Agenda[.]html to deobfuscate a payload and for writing a malicious ISO file to the hard drive of the victim. This method is called HTML Smuggling.
  • The payload file is an ISO file Agenda[.]iso, which gets downloaded on the victim’s machine. Once it is double-clicked, the infection process starts and executes the malicious code on the target system.
  • There is another shortcut file alongside the ISO file, named Information[.]lnk, that kicks the infection process when double clicked by a user.

Additional insights

The phishing attacks targeted employees of diplomatic organizations globally with a consistent focus on current Russian strategic interests and previous APT29 targeting.
  • Messages within included a link to a malicious HTML file, EnvyScout, that acts as a dropper to secondary malware, such as Cobalt Strike.
  • EnvyScout can be described as an auxiliary tool that is used to further infect the target with the actor's implant. It is used to deobfuscate the contents of the secondary malware, which is a malicious ISO.
  • The EnvyScout dropper is used for delivering additional malicious payloads, such as a Cobalt Strike beacon.

Ending notes

The recent campaign by APT29 exhibits its sophistication and ability to obfuscate the deployment of malware. Further, the group successfully abused DropBox and Google Drive services, which are very popular among millions of customers around the world. Its inclusion in APT's malware delivery process is really a serious issue.
Cyware Publisher