(I’ve got to stop with this alliteration nonsense.)
ArsTechnica reported today on findings by CyberX labs that over 600GB of data was obtained from 70 different targets in varying industries, including “critical infrastructure, news media, and scientific research.” Targets were mostly inside Ukraine, though a small number of targets were from Russia, Austria, and Saudi Arabia.
The malware spread through emails attached with infected Microsoft Word documents “containing malicious macros.” When macros were disabled, the document itself would contain an authentic-looking message prompting users to enable Macros.
After being compromised, machines would upload a variety of data to a Dropbox account. The collected data included:
- Captured audio conversations from attached microphones.
- Sensitive files on connected USB drives and shared folders.
- Passwords from installed browsers.
- Computer information, including usernames and IP addresses.
CyberX notes that this malware showed great similarities to previous cyber operations, such as Operation Groundbait which was used to harm Ukrainian power grids. Yet this malware was rather more sophisticated than those incidents:
- Using Dropbox allowed getting around most corporate firewalls.
- The use of Reflective DLL Injection (previously used by Stuxnet, among others) made it possible to avoid some security verifications.
- The use of encrypted DLLs avoided “common anti-virus and sandboxing systems.”
- The use of free web hosts for command-and-control servers further aided in avoiding detection.
I recommend reading the full ArsTechnica article for a more laymen-friendly explanation, or the full CyberX article for more detail. As for how to avoid an infection like this? Well, it really would be tough to detect this kind-of malware once infected, but quite easy to avoid getting infected in the first place: don’t run Microsoft Word Macros if you don’t trust the person who sent the file!