The Russian state-sponsored hacking collective APT29 has been attributed to a new phishing campaign that uses legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.
“These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022,” Palo Alto Networks Unit 42 said in a Tuesday report. “The lures included in these campaigns suggest targeting a foreign embassy in Portugal and a foreign embassy in Brazil.”
APT29, also tracked under the monikers Cozy Bear, Cloaked Ursa, or The Dukes, has been characterized as an organized cyberespionage group working to collect intelligence that aligns with Russia’s strategic objectives.
Microsoft separately tracks some aspects of the advanced persistent threat’s activities, including the infamous SolarWinds supply chain attack of 2020, under the name Nobelium. Mandiant calls it an evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security.
The most recent intrusions continue the same covert operation previously detailed by Mandiant and Cluster25 in May 2022. In that operation, spear-phishing emails led to the deployment of Cobalt Strike Beacons using an HTML dropper attachment dubbed EnvyScout (aka ROOTSAW) attached directly to the messages.
In the newer iterations, cloud services like Dropbox and Google Drive have changed to conceal their actions and retrieve additional malware into target environments. A second version of the attack observed in late May 2022 is said to have adapted further to host the HTML dropper in Dropbox.
“Donkey, I am like an Onion; I have Layers!”
“The campaigns and payloads analyzed over time show a strong focus on operating under the radar and lowering the detection rates,” Cluster25 noted. In this regard, even legitimate services such as Trello and Dropbox suggest the adversary’s will to operate for a long time within the victim environments, remaining undetected.”
EnvyScout, for its part, serves as an additional tool to further infect the target with the actor’s implant of choice, in this case, a . NET-based executable concealed in multiple layers of obfuscation, used to exfiltrate system information and execute next-stage binaries such as Cobalt Strike fetched from Google Drive.
“The use of DropBox and Google Drive services […] is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said.
The findings also coincide with a new declaration from the Council of the European Union, calling out the spike in malicious cyber activities perpetrated by Russian threat actors and “condemn[ing] this unacceptable behavior in cyberspace.”
“This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation, and possible escalation,” the Council said in a press statement.
