Russia APT29 Leverages Online Storage Services

Industry: Government | Level: Tactical | Source: Palo Alto Unit42

Research from Palo Alto Unit42 have identified Russian threat actor APT29 incorporating online storage services such as DropBox and Google Drive into their cybercrime operations. In terms of TTPs, the utilization of Google Drive is new for APT29, "The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT's malware delivery process exceptionally concerning." Foreign diplomatic missions have been the focus of the group for the past six months. Phishing campaigns from APT29 were observed to have initially leveraged DropBox dropping the EnvyScout malware through a malicious LNK file. The use of Google Drive was observed starting in May 2022, to download additional payloads into the target environment such as Cobalt Strike.

Anvilogic Scenario:

• LNK File Leads to Cobalt Strike

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Rundll32 Command Line
• Suspicious File written to Disk

‍