It’s very common to read about malware pilfering all kinds of confidential data from computers — spreadsheets, documents, databases, pictures. Researchers have uncovered a new malware campaign that takes things a step further. It’s recording audio near compromised systems by stealthily switching on the computers’ microphones.
CyberX, a security provider that specializes in industrial control systems (ICS) and the Internet of things, recently reported on an advanced threat called Operation BugDrop. The sophisticated malware, they say, has already exfiltrated hundreds of gigabytes worth of data. CyberX has tallied at least 70 organizations victimized by BugDrop so far. They range from a civil engineering firm to a human rights organization to newspapers.
So far, the bulk of the attacks have targeted operations in Ukraine. BugDrop has also spread to other countries, including Austria, Russia, and Saudi Arabia. CyberX notes that whoever is behind BugDrop has access to significant resources, given that the malware is siphoning several gigabytes of data every day — and that data must be decrypted before it can be analyzed.
When you’re talking about malware and significant resources, you’re often talking about a state-sponsored campaign. CyberX certain seems to lean that way, saying “while we are comfortable assigning nation-state level capabilities to this operation.” They’re careful to add, however, that “Attribution” is notoriously difficult” and that they “have no forensic evidence that links BugDrop to a specific nation-state or group.”
How Is BugDrop Being Spread?
It won’t surprise you to learn how a computer becomes infected by BugDrop. Like nearly every other strain of malware you read about today, BugDrop is being spread via phishing emails (just like recent attacks against Gmail and Paypal users). Office documents laced with malicious macros deliver the “dropper” which injects the actual malware to a victim’s computer.
So far, only a handful of anti-malware scanners detect BugDrop. That’s not great news, though security software never has to get involved if users are trained to recognize suspicious emails and resist the temptation to open shady attachments.