The war is having disastrous consequences in all areas, including cyber. Until now, most Russian-origin threat actors have chosen to respect local organizations, with the exception of a few, such as ransomware operator OldGremlin, which has been launching offensives against such companies since spring 2020. Now, and taking advantage of the fact that citizens are more exposed than usual, due to the fact that numerous security providers have suspended their operations in this market, this group has re-emerged with two new phishing campaigns, which benefit from the sanctions that currently affect the country.
The first of them, launched on March 22, takes advantage of the suspension of Visa and Mastercard operations in Russia, to trick the user into filling out a form to request a new card. The alleged document is actually a malicious Office document located on Dropbox, which, once executed, loads a template hosted on the same service. Through a backdoor called Tiny Fluff, attackers can control the compromised endpoint and perform malicious activities such as data and dossier theft, and downloading of arbitrary files.
An extra, simplified version of this campaign was discovered on March 25, and although this moment operation delivers a simpler version of TinyFluff, it still exploits Dropbox to deliver the files used in the initial stage of the attack.
“Once again, attackers have used a known cloud service to deliver malicious content, and in this particular case they are also taking advantage of the geopolitical situation that is making both organizations and individuals more vulnerable,” says Paolo Passeri, Director of Cyber-Intelligence of Netskope.
However, this is not the only recent crusade that has been exploited by Dropbox, in a totally different example threat actors targeted the African banking sector via the RemcosRAT delivered from Dropbox (again), and an old one known as OneDrive. Curiously, in this second crusade, the payload is delivered through the GuLoader downloader, which, at least in this case, is not delivered through a cloud service, but through HTML Smuggling Techniques.