A Russian state-sponsored threat group called APT29 exploits cloud services, such as DropBox and Google Drive, in their cybercriminal activities to bypass security detections. Based on reports, the adversary abuses the users’ compliance with well-known cloud storage to make their attacks elusive and efficient.
The advanced persistent threat (APT) group has employed this new strategy in its latest attacks on foreign embassies and diplomatic missions worldwide. Researchers monitored a couple of these campaigns between May and June this year.
The baits used for this newly discovered campaign revealed that the threat actors had targeted at least a couple of foreign embassies in Brazil and Portugal. The first attack utilised DropBox, and a couple of weeks later, the second campaign used Google Drive to obfuscate the actor’s payload.
APT29 also used an obfuscating method called HTML Smuggling.
Researchers discovered that the APT29 used an “Agenda[.]html” code to hide a payload and to code a malicious ISO file to the victim’s hard drive. Moreover, the mentioned strategy is called HTML Smuggling.
Additionally, the payload file is an ISO file Agenda[.]iso, which gets downloaded on the targeted device. Once a user double-clicks the payload, the infection process will commence and operates the malicious code on the targeted system.
The phishing campaign targeted the staff of diplomatic organisations worldwide with an efficient exclusivity on the Russian strategic interests. Messages inside the phishing attacks attached a link to a malicious HTML file called EnvyScout, which behaves like a dropper to secondary malware.
EnvyScout can be categorised by many as a tool that is utilised further to infect targets with a threat actor’s implant. It is also used to deobfuscate the contents of the backup malware, which is a hostile ISO. The EnvyScout dropper is utilised for distributing additional payloads like the Cobalt Strike Beacon.
This latest cybercriminal campaign of APT29 implies its great sophistication and capability to hide the deployment of its payloads. Furthermore, the APT group completed a method that can safely abuse Google Drive services, and DropBox, which are widely used among millions of users worldwide.
