Last month, CyberX Labs published an article on Operation BugDrop, an information-stealing campaign that seems primarily targeted towards Ukraine. The malware analyzed has a complex installation process, with multiple techniques employed to attempt to bypass security products.
One of the most common modern attack vectors is sending malicious Microsoft Word documents to users via phishing emails. Often, the content of the email will attempt to trick users into disabling MS Office built-in security features, such as macro-security.
In this case, there were fake email resumes sent to targets in Ukraine, which resulted in a multi-stage dropper, ultimately leading to data exfiltration.
Since BugDrop uses reflective DLL injection, most security products that watch which DLLs are loaded into memory will miss this advanced attack before the bad actors can steal information.
Unlike the more common downloader varieties of malicious documents, a multistage dropper is unique in its ability to hide its payload and drop additional components to disk:
First, a good target complies (or a malicious actor places the files on a machine), opening the document containing a macro, and executing the malicious Visual Basic script. Often this occurs right within Outlook, by people who read through dozens of documents.
The second stage portable executable (PE) is an encrypted byte array, and does not require an active network connection or command and control (C2) server to receive the second stage.
Normally, the second step places a dropper responsible for coordinating a number of components to the drive of the infected computer. But this is the case with BugDrop.
After dropping these components, it then edits the registry keys responsible for Windows boot.
The third stage is a DLL which executes the following time Windows starts. While there is a file aspect, the binary is loaded into memory and obfuscated, then calling another DLL which is loaded with a reflective DLL injection (not using standard Windows API calls).
But CylancePROTECT® catches all of this. In the video below, we demonstrate CylancePROTECT detecting and stopping this threat, pre-execution:
VIDEO: CylancePROTECT vs. Operation BugDrop