Russian APT29 Hackers Use Google Drive and Dropbox to Evade Detection: Cyber Threat Intelligence Roundup

In this week’s report: Russia-backed APT29 campaigns are now using popular cloud storage services like Google Drive and Dropbox to evade detection and deliver malware. Plus, new CloudMensis malware is targeting macOS users and trusted cloud services for command and control (C2) attacks and exfiltration. We also explain the new Lightning Framework Linux malware, which comes equipped with an abundance of features that enable it to backdoor devices and deploy rootkits.

1. Russian APT29 hackers use Google Drive, Dropbox to evade detection

According to Unit 42, the Russia-backed advanced persistent threat (APT) group known primarily as APT29 (aka Nobelium or Cozy Bear) is now leveraging trusted, legitimate cloud services like Google Drive and Drobox to evade detection, exfiltrate data, and deliver malware and hacking tools.

Unit 42’s researchers claim that the use of such cloud services for the purposes of C2, storage, and malware delivery isn’t entirely new to this group. The widespread nature and built-in trust accompanying these services makes their inclusion in APT29’s operations understandable, and worrying.

About APT29

APT29 is best known for its role in the US Democratic National Committee (DNC) hack of 2016 and the major part it is believed to have played in the catastrophic supply-chain compromise of SolarWinds in 2020. APT29 is assessed with a high degree of confidence to operate at the behest of Russia’s Foreign Intelligence Service (SVR). The actor’s motivation is primarily espionage and is attributed with sophisticated and effective spear-phishing campaigns targeting government, military, and diplomatic entities that appear to align with the state and geopolitical interests of the Russian government.

We dive into the technical details of recent campaigns conducted by Cloaked Ursa (aka #APT29), which are believed to have targeted several Western diplomatic missions between May and June 2022. https://t.co/9w5HgBtw66 pic.twitter.com/gKzMSF9UtB

— Unit 42 (@Unit42_Intel) July 22, 2022

Campaign details

APT29’s use of popular global online storage services was first observed in attacks targeting Western diplomatic missions and foreign embassies worldwide from early May through June 2022.

Highly convincing spear phishing attacks are APT29’s favored method of achieving initial access, and this campaign appears to be no exception. The attacks typically begin with the actor delivering phishing emails to targets at foreign embassies, masquerading as invitations to meetings with ambassadors. The emails include weaponized PDFs, containing the supposed meetings’ agendas, which call out to a Drobox account under control of the attackers and deliver a Cobalt Strike payload to the victim’s device.

According to a recent write-up from ZDNet regarding the increasing adoption of trusted cloud services by hackers for various malicious purposes, these initial callouts were unsuccessful – something the article’s author says researchers chalk up to restrictive policies on corporate networks, preventing the use of certain third-party services. This same article states that the attackers quickly adapted; sending similar phishing emails as a second lure, but this time leveraging Google Drive accounts to hide their actions and deploy Cobalt Strike and other malware payloads into target environments. This second wave of strikes appears to have been met with a higher degree of success, likely due to the widespread employment of Google applications in workplaces in support of daily operations.

Like many other campaigns of this nature, APT29’s ultimate goal is to deliver additional malware like EnvyScout to serve as backdoors into networks containing sensitive information, or for potential use in future attacks.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While the use of these two specific cloud storage services to deliver malware and obfuscate its deployment may technically be a new tactic for APT29, prior reporting shows that this group has previously experimented with the use of such legitimate services for other purposes. If attacks remain successful, APT29 will likely continue to employ such methods. And, if a recent study from the Ponemon Institute is to be believed, APT29’s attacks come at a time when 60% of IT and security leaders are not confident in their ability to secure cloud environments.

Furthermore, this group’s activity is not only indicative of the increase in Russia-linked hacking operations observed in the wake of geopolitical turmoil in Eastern Europe – these campaigns also serve as a reminder of APT29’s adaptability and sophistication.

Unit 42 encourages all organizations to ‘review their email policies and the IOCs provided in this report to address this threat.’ CTI concurs, and has taken a proactive approach to intelligence efforts ahead of any possible spillover from state-sponsored cyberattacks (which agencies like CISA have repeatedly warned may take the form of destructive malware attacks impacting Western entities) originating from Russian threat actors.”

2. Experts uncover new CloudMensis spyware targeting Apple macOS users

A recent report by WeLiveSecurity details the discovery of a previously unknown macOS backdoor that spies on users of compromised devices.

Leveraging methodology reminiscent of the previous story, the malware, named CloudMensis, exclusively uses public cloud storage services such as pCloud, Yandex Disk, and Dropbox to receive attacker commands and exfiltrate files.

CloudMensis: An overview

The malware, which was first observed in early 2022, enables operators to gather information from victims’ macOS devices by exfiltrating documents, logging keystrokes, and taking screen captures. Once code execution and administrative privileges are achieved, a two-stage process kicks off – the first stage downloads and executes the second stage. Researchers are unable to determine the initial infection vector for the attacks at this time.

The first stage malware downloads and installs the second-stage malware as a system-wide daemon (a computer program that runs as a background process, rather than being under direct control of a user). At this stage, the attackers have already obtained administrative privileges, as both directories where files are observed being written to disk can only be modified by the root user.

The second stage of the malware is a larger component, containing several features designed to collect information from compromised devices. The intent of this stage is to exfiltrate the captured documents, screenshots, email attachments, etc. CloudMensis uses cloud storage for both receiving commands from its operators, and for exfiltrating files. The malware currently supports three providers: pCloud, Yandex, and Dropbox.

New CloudMensis malware used to spy on Macs in targeted attacks – @sergheihttps://t.co/Q193eg6vkh

— BleepingComputer (@BleepinComputer) July 19, 2022

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Researchers note that the ‘general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced.’ Even though the quality of the code may be subpar, CloudMensis should not be ignored. In fact, given that the malware uses trusted public storage services for receiving attacker commands and exfiltrating files (an increasing trend among advanced cybercriminals and APTs alike), we would be wise to keep a close watch on CloudMensis and its developments.”

3. New Lightning Framework Linux malware installs rootkits, backdoors

CTI is actively tracking the newly-emerged ‘Lightning Framework,’ a dangerous new type of malware that targets Linux systems.

According to threat research blog Intezer, the “Swiss Army knife”-like malware can be used to backdoor infected devices and deploy multiple types of rootkits.

Lightning Framework consists of a downloader and core module, with several available plugins – many of which are open-source tools. The framework also heavily utilizes typo-squatting and masquerading to remain undetected.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Lightning Framework is the latest Linux malware family to surface in the past few months, following the emergence of BPFDoor, Symbiote, Syslogk, and OrBit (all of which CTI has reported on in some fashion). If this doesn’t show just how interested threat actors are in targeting Linux environments, I’m not sure what will. Lightning Framework is equipped with an incredible number of features as compared to most previously reported Linux malware. Malware with such an abundance of features at such an early stage in its creation makes Lightning Framework an item of extreme interest.

Intezer researchers noted that several Lightning Framework files were unable to be located for analysis. CTI will continue to track Lightning Framework and provide updates as additional details surface.”

Shut down attacks early with Tanium

Emerging threats like Lightning Framework need to be discovered and eliminated quickly before they can harm your organization.

To help, we offer a powerful Threat Hunting solution that provides fast and accurate threat reporting. To learn how Tanium Threat Hunting can help keep your organization safe, watch this demo.