Researchers document Cloaked Ursa (APT29) campaigns that weaponize trusted cloud storage services to hide malware delivery, notably Dropbox and Google Drive. The campaigns deploy EnvyScout HTML droppers to fetch Agenda.iso payloads and use Google Drive-based exfiltration and Cobalt Strike beacons, complicating detection.
#CloakedUrsa #EnvyScout #CobaltStrike #GoogleDrive #Dropbox
#CloakedUrsa #EnvyScout #CobaltStrike #GoogleDrive #Dropbox
Keypoints
- Cloaked Ursa (also known as APT29, Nobelium, Cozy Bear) is linked to Russia’s SVR by multiple governments and researchers.
- The actor’s latest campaigns incorporate trusted online storage services (Dropbox and Google Drive) to deliver payloads and hide malicious activity.
- Campaigns targeted Western diplomatic missions (Portugal and Brazil) with lure documents (Agenda.pdf) linking to EnvyScout HTML droppers.
- The delivery chain includes an EnvyScout HTML dropper that deobfuscates and writes an Agenda.iso payload to disk, then executes via a Windows shortcut.
- Agenda.iso contains layered artifacts (underscore payload, agenda.exe signed by Adobe, vcruntime140.dll, vctool140.dll) that decompress and load in memory to deploy a Google Drive–based.NET payload (GoogleDrive).
- Google Drive is used for persistence, data collection, and C2 communications, including uploading victim data and downloading additional payloads; C2 domains include crossfity.com and techspaceinfo.com.
- Registry-based persistence (Run keys) and DLL side-loading techniques are used to maintain footholds and evade defenses.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The lure PDFs (Agenda.pdf) were used to deliver the initial payloads. Quote: “…phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper…”
- [T1566.002] Phishing: Spearphishing Link – Agenda.pdf included links to Agenda.html hosted on cloud storage. Quote: “Link: www.dropbox[.]com/s/dhueerinrg9k97k/agenda.html?dl=1”
- [T1036] Masquerading – Agenda.exe is an Adobe-signed binary repurposed to evade defenses. Quote: “Agenda.exe – Adobe Executable … digitally signed by Adobe, Inc., and is being used to evade detection … by abusing the trust of digitally signed applications.”
- [T1059.003] Windows Command Shell – The infection flow uses cmd.exe to start agenda.exe. Quote: “cmd.exe is used to execute agenda.exe in the current working directory.”
- [T1574.001] DLL Side-Loading – Vcruntime140.dll is hijacked to load the actor’s DLL vctool140.dll. Quote: “Vcruntime140.dll is a DLL loaded by agenda.exe… not the legitimate Microsoft file, as it has been altered to load the actor’s malicious DLL, vctool140.dll.”
- [T1055] Process Injection/In-Memory Execution – The payload is decompressed and loaded in memory (in-memory execution of the loader and payload). Quote: “loads and executes downloaded payload file in memory.”
- [T1082] System Information Discovery – The Google Drive payload collects machine information. Quote: “Retrieves information from the victim such as: running processes, machine name and network IP information.”
- [T1057] Process Discovery – The payload gathers running processes as part of its reconnaissance. Quote: “retrieves information from the victim such as: running processes…”
- [T1567.002] Exfiltration to Cloud Storage – Data is uploaded to Google Drive shares. Quote: “Uploads the data collected … to the Google Drive share with a unique client ID…”
- [T1071.001] Web Protocols / C2 over Web Services – Cobalt Strike beacons and C2 communications with external domains. Quote: “Command and control (C2) comms established with crossfity[.]com.”
Indicators of Compromise
- [Hash] [PDF lure] Agenda.pdf hashes – a0bdd8a82103f045935c83cb2186524ff3fc2d1324907d9bd644ea5cefacbaaf, ce9802b22a37ae26c02b1f2c3225955a7667495fce5b106113434ab5a87ae28a, f9b10323b120d8b12e72f74261e9e51a4780ac65f09967d7f4a4f4a8eabc6f4c
- [Hash] Agenda.iso – 347715f967da5debfb01d3ba2ede6922801c24988c8e6ea2541e370ded313c8b, DE06CF27884440F51614A41623A4B84E0CB3082D6564EE352F6A4D8CF9D92EC5
- [Hash] EnvyScout HTML – 0ED71B0F4F83590CCA66C0C9E9524A0C01D7A44CF06467C3AE588C1FE5B13118, CBE92ABB2E275770FDFF2E9187DEE07CCE1961B13C0EDA94237ACEEB06EEFBBD
- [Hash] Malicious DLLs – A018F4D5245FD775A17DC8437AD55C2F74FB6152DD4FDF16709A60DF2A063FFF, 9230457E7B1AB614F0306E4AAAF08F1F79C11F897F635230AA4149CCFD090A3D, FBA3A311A4C0A283753B5A0CDCADD3FE19F5A1174F03CB966F14D04BBF3D73EE
- [Hash] Underscore payloads – 09F0EA9B239385EB22F794DCECAEC1273BE87F3F118A2DA067551778971CA677, 56CFFE5E224ACBE5A7E19446238E5BB9110D9200B6B1EA8B552984D802B71547, 295452A87C0FBB48EB87BE9DE061AB4E938194A3FE909D4BCB9BD6FF40B8B2F0, BC9AD574C42BC7B123BAAAFB3325CE2185E92E46979B2FAADDD4BC80DDFAC88A
- [Domain] Dropbox/Agenda.html hosting – dropbox[.]com/s/dhueerinrg9k97k/agenda.html
- [Domain] Google Drive-related infrastructure – porodicno[.]ba/wp-content/Agenda.html, wethe6and9[.]ca/wp-content/Agenda.html
- [IP] IPs involved – 77.75.78.212 (Campaign 1), 185.47.128.39, 31.31.74.79 (Cobalt Strike/C2)
- [Email] matysovi@seznam[.]cz – lure sender in Campaign 1
Read more: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/