Operation BugDrop: CyberX Discovers Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations

CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

Operation BugDrop: Targets

CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research. The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

Examples of Operation BugDrop targets identified by CyberX so far include:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.
  • A scientific research institute.
  • Editors of Ukrainian newspapers.

Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.

Initially, CyberX saw similarities between Operation BugDrop and a previous cyber-surveillance operation discovered by ESET in May 2016 called Operation Groundbait. However, despite some similarities in the Tactics, Techniques, and Procedures (TTPs) used by the hackers in both operations, Operation BugDrop’s TTPs are significantly more sophisticated than those used in the earlier operation. For example, it uses:

  • Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.
  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
  • Legitimate free web hosting sites for its command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.

Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments. It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled.

How CyberX Investigated Operation BugDrop

CyberX’s Threat Intelligence Research team initially discovered Operation BugDrop malware in the wild. The team then reverse-engineered the code to analyze its various components (decoy documents used in phishing attacks, droppers, main module, microphone module, etc.) and how the malware communicates with its C&C servers. The team also needed to reverse-engineer exactly how the malware generates its encryption keys.

Distribution of Targets by Geography

Operation BugDrop - Distribution of Targets by Nation

Compilation Dates

The modules were compiled about a month after ESET announced the existence of Operation Groundbait. If the two operations are indeed related, this might indicate the group decided it needed to change its TTPs to avoid detection.

Operation BugDrop - Compilation Dates

Technical Details

Operation BugDrop - Technical Details

High-level view of malware architecture

1. Infection Method

  • Users are targeted via specially crafted phishing emails and prompted to open a Microsoft Word decoy document containing malicious macros.
  • If macros are disabled, users are presented with a dialog box (below) prompting them to enable macros. The dialog box is well designed and appears to be an authentic Microsoft Office message.
  • Operation BugDrop - Microsoft Office Screenshot
    • Russian text in dialog box: “внимание! Файл создан в более новой версии программы Микрософт Office. Необходимо включить Макросы для корректного отображения содержимого документа”
    • This is translated as: “Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document.”
  • Based on the document metadata, the language in which the list is written is Ukrainian, but the original language of the document is Russian.
  • The creator of the decoy document creator is named “Siada.”
  • Last modified date is 2016-12-22 10:37:00
  • The document itself (below) shows a list of military personnel with personal details such as birthdate and address:
    • Decoy document with personal information about military personnel

2. Main Downloader

  • The main downloader is extracted from the decoy document via a malicious VB script that runs it from the temp folder.
  • The downloader has low detection rates (detected by only 4 out of 54 AV products).

3. Dropper — Stage 0

  • The icon for the downloader EXE was copied from a Russian social media site (http://sevastopol.su/world.php?id=90195).
  • The icon itself is a meme that jokes about Ukrainians (http://s017.radikal.ru/i424/1609/83/0c3a23de7967.jpg).
  • Operation BugDrop - Dropper Icon

    Dropper icon

  • Operation BugDrop - ForPost

    Russian social media site from where icon for dropper EXE was obtained

  • The dropper has 2 DLLs stored in its resources; they are XOR’ed in such way that the current byte is XOR’ed with the previous byte.
  • This technique is much better than just plain XOR because it results in a byte distribution that doesn’t look like a normal Portable Executable (PE) file loader. This helps obfuscate the file so that it will not be detected by anti-virus systems.
  • The DLLs are extracted into the app data folder:
    • %USERPROFILE%\AppData\Roaming\Microsoft\VSA\.nlp – Stage 1
    • %USERPROFILE%\AppData\Roaming\Microsoft\Protect\.nlp.hist – Stage 2
  • The first stage is executed and the DLL is loaded using Reflective DLL Injection.

4. Dropper – Stage 1 – Achieving Persistency

  • Internal name: loadCryptRunner.dll
  • Compiled: Mon Dec 12 10:09:15 2016
  • Responsible for persistency and executing the downloader DLL, the Stage 1 Dropper registers itself in the registry under the key:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\drvpath
    • RUNDLL32 “%USERPROFILE%\AppData\Roaming\Microsoft\VSA\klnihw22.nlp”, RUNNER
  • The communication DLL is also loaded using Reflective DLL Injection.

5. Dropper – Stage 2 – Downloader for Main Module

  • Internal name: esmina.dll
  • Compiled: Mon Oct 10 14:47:28 2016
  • The main purpose of this DLL is to download the main module
  • The main module is hosted on a free web hosting site with the following URL:
    • windows-problem-reporting.site88.net [Note: Do not visit this malicious site.]
  • We were unable to find any information about this URL in public data sources.
  • Attempting to directly access the URL leads to an “HTTP/1.1 404 Not Found” message.
  • It appear as if downloading the module requires manual approval, indicating the need for a human analyst or handler in the loop.
  • The main module is then downloaded and loaded into memory using Reflective DLL Injection.

6. Main Module

  • The main module downloads the various data-stealing plugins assigned to each victim, and executes them.
  • It also collects locally-stored stolen data and uploads it to Dropbox.
  • The main module incorporates a number of anti-Reverse Engineering (RE) techniques:
    • Checks if a debugger is present.
    • Checks if process is running in a virtualized environment.
    • Checks if ProcessExplorer is running. ProcessExplorer is used to identify malware hiding inside a legitimate process as
    • a DLL, which occurs as a result of DLL injection.

    • Checks to see if WireShark is running. WireShark can be used to identify malicious traffic originating on your computer.
    • It registers itself in the registry under the key:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hlpAsist
      • RUNDLL32 “%USERPROFILE%\AppData\Roaming\Microsoft\MSDN\iodonk18.dll”, IDLE

7. Dropbox Mechanisms

  • There are 3 directories on the server:
    • obx – Contains modules used by the main module
    • ibx – Contains exfiltrated output uploaded by the plugins
    • rbx- Contains basic information about the connected client
  • After the stored data is retrieved by the attackers, it is deleted from the Dropbox account.
  • The Dropbox user that registered the account has the following details:
    • Name: P*****
    • Email: P********@mail.ru

8. Encryption Mechanisms

  • The data-stealing plugins store all their output in: %USERPROFILE%\AppData\Roaming\Media
  • Before being sent to Dropbox by the main module, the files are encrypted with Blowfish.
  • The Blowfish encryption key is the client ID.

9. Data-Stealing Plugins

  • File Collector: Searches for variety of file types that are stored locally or on shared drives (including doc, docx, xls, xlsx, ppt, pptx, pdf, zip, rar, db, txt) . Files are uploaded on-demand.
  • USB File Collector: Searches for variety of file types on USB drives (including doc, docx, xls, xlsx, ppt, pptx, pdf, zip, rar, db, txt).
  • Browser Data Collector: Used to steal passwords and other sensitive information stored in browsers.
  • Microphone: Captures audio conversations.
  • Computer Info Collector: Collects data about the client such as Windows OS version, computer name, user name, IP address, MAC address, antivirus software, etc.

Not all of the plugins are downloaded to every target. Each module has a unique extension which is the client ID. This is how the main module knows which modules should be downloaded to a particular target.


1) Operation BugDrop was a cyber-reconnaissance mission; its goal was to gather intelligence about targets in various domains including critical infrastructure, media, and scientific research. We have no evidence that any damage or harm has occurred from this operation, however identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives.

2) Skilled hackers with substantial financial resources carried out Operation BugDrop. Given the amount of data analysis that needed to be done on daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience. While we are comfortable assigning nation-state level capabilities to this operation, we have no forensic evidence that links BugDrop to a specific nation-state or group. “Attribution” is notoriously difficult, with the added difficulty that skilled hackers can easily fake clues or evidence to throw people off their tail.

3) Private and public sector organizations need to continuously monitor their IT and OT networks for anomalous activities indicating they’ve been compromised. Fortunately, new algorithmic technologies like behavioral analytics are now available to rapidly identify unusual or unauthorized activities with minimal false positives, especially when combined with actionable threat intelligence. Organizations also need deep forensics to identify the scope and impact of a breach, as well as an enterprise-wide incident response plan that can be carried out quickly and at scale.

Hashes (SHA-256)

Decoy Document:



Screenshot Collector:


File Collector

USB File Collector:

Browser Data Collector:


Computer Info Collector: