APT29 Leverages Google Drive, Dropbox to Evade Detection
Call them Cozy Bear or APT29 or Nobelium or, as Palo Alto Networks’ Unit 42 does, Cloaked Ursa—no matter what name they go by, Russia’s Intelligence Service is still at it, this time using Google Drive cloud storage services and DropBox as a way to evade detection.
The latest campaigns conducted by Cloaked Ursa “demonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection,” Unit 42 researchers wrote in a blog post. “The use of trusted, legitimate cloud services isn’t entirely new to this group. Extending this trend, we have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time.”
Because Google Drive cloud storage services are ubiquitous—and because they are trusted by millions around the world—“their inclusion in this APT’s malware delivery process [is] exceptionally concerning,” they said.
In the two most recent campaigns, Cloaked Ursa used the agenda for an upcoming meeting with an ambassador to lure victims from a number of Western diplomatic missions in May and June 2022. “The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload,” Unit 42 researchers wrote.
That’s not surprising, considering that the APT, which is long believed to be affiliated with the Russian government, is known for aiming at such targets, including the U.S. Democratic National Committee (DNC) hack and the SolarWinds supply chain attack.
In the first campaign in May, which used Agenda.pdf, the group was, in essence, targeting a NATO country, the researchers said. “On Jan. 17, 2022, just days after the WhisperGate attacks in Ukraine, this NATO country was targeted in a Cloaked Ursa phishing campaign using a lure with the subject line of ‘Note Verbal – Ambassador Absence,’” the researchers wrote.
An earlier campaign in February aimed at the Austrian Ministry of Foreign Affairs also used an Embassy of Portugal message (NV – Non-working days of the Embassy of Portugal) as a lure from a Portuguese government email account that had potentially been compromised.
In the second campaign, the PDF, created on April 4, 2022 and modified June 30, “contains information that appears to address a foreign embassy in Brazil while using Brazil’s official logo and notably misspelling ‘Brazil’ as ‘Brzail,’” Unit 42 wrote. “All three URL links in the document point to an internet-facing web server that is hosting a file named Agenda.html.
Messages sent in the campaign include a link to EnvyScout, a malicious HTML file that the threat actors use to drop Cobalt Strike and/or other malicious payloads. An auxiliary tool to “further infect the target with an actor’s implant,” EnvyScout is “used to deobfuscate the contents of the secondary malware, which is a malicious ISO file,” Unit 42 pointed out.
“Unit 42 has previously reported that 92% of cloud configurations have misaligned identity permissions. The fact Google Drive is under attack should be of no surprise to anyone,” said Garret Grajek, CEO at YouAttest. “Most applications and data are in the cloud today, and thus the attackers know this is where to target their exploits.”
Noting that “full attention must be paid to these resources to protect against these focused attacks,” Grajek said, “Identity is the most important construct to secure the cloud resources of today and must be provisioned and reviewed with care and automation.”
