News

Biden Campaign Staffers Targeted in Cyberattack Leveraging Antivirus Lure, Dropbox Ploy

  • Lindsey O'Donnell--Threatpost
  • published date: 2020-10-16 20:00:43 UTC

Google’s Threat Analysis Group sheds more light on targeted credential phishing and malware attacks on the staff of Joe Biden’s presidential campaign.

<div class="c-article__content js-reading-content"> <p>Hackers sent Joe Biden’s presidential campaign staffers malicious emails that impersonated anti-virus software company McAfee, and used a mix of legitimate services (such as Dropbox) to avoid detection. The emails were an attempt to steal staffers’ credentials and infect them with malware.</p> <p>The unsuccessful advanced persistent threat group (APT) attacks on Biden’s campaign <a href="https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/" target="_blank" rel="noopener noreferrer">were first uncovered in June</a>, along with cyberattacks targeting Donald Trump’s campaign. However, the details of the attacks themselves, and the tactics used, were scant until Google Threat Analysis Group’s (TAG) Friday analysis.</p> <p>“In one example, attackers impersonated McAfee,” said <a href="https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats" target="_blank" rel="noopener noreferrer">researchers on Friday</a>. “The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system.”</p> <p><a href="https://threatpost.com/newsletter-sign/"><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a></p> <p>The campaign was based on email based links that would ultimately download malware hosted on GitHub, researchers said. The malware was specifically a python-based implant using Dropbox for command and control (C2), which once downloaded would allow the attacker to upload and download files and execute arbitrary commands.</p> <p>Every malicious piece of this attack was hosted on legitimate services – making it harder for defenders to rely on network signals for detection, researchers noted.</p> <div id="attachment_160235" style="width: 310px" class="wp-caption alignleft"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/16152649/pasted_image_0_6_uyg1GfN.max-1000x1000-1.png"><img aria-describedby="caption-attachment-160235" loading="lazy" class="size-medium wp-image-160235" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/16152649/pasted_image_0_6_uyg1GfN.max-1000x1000-1-300x265.png" alt="google mcafee phishing cyberattack biden" width="300" height="265"></a><p id="caption-attachment-160235" class="wp-caption-text">The McAfee lure used in the Biden cyberattack. Credit: Google</p></div> <p>Google attributed the attack on Biden’s campaign staff to <a href="https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/" target="_blank" rel="noopener noreferrer">APT 31</a> (also known as Zirconium). According to reports, this threat actor is tied to the Chinese government.</p> <p>Beyond staffers on the “Joe Biden for President” campaign, APT 31 has also been targeting “prominent individuals in the international affairs community, academics in international affairs from more than 15 universities,” according to <a href="https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/" target="_blank" rel="noopener noreferrer">previous Microsoft research.</a></p> <p>The threat group’s TTPs include using web “beacons” that are tied to an attacker-controlled domain. The group then sends the URL of the domain to targets via email text (or attachment) and persuades them to click the link via social engineering.</p> <p>“Although the domain itself may not have malicious content, [this] allows Zirconium [APT 31] to check if a user attempted to access the site,” said Microsoft. “For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”</p> <p>On the other side of the coin, the <a href="https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/" target="_blank" rel="noopener noreferrer">personal email accounts of staffers</a> associated with the “Donald J. Trump for President” campaign have also been targeted by another threat group called APT 35 (also known as Phosphorus and Charming Kitten), which researchers said operates out of Iran. The Iran-linked hacking group has been known to use phishing as an attack vector, and <a href="https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/" target="_blank" rel="noopener noreferrer">in February</a> was discovered targeting public figures in phishing attacks that stole victims’ email-account information.</p> <div id="attachment_160236" style="width: 310px" class="wp-caption alignleft"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/16152806/imageLikeEmbed_1.max-1000x1000-1.png"><img aria-describedby="caption-attachment-160236" loading="lazy" class="size-medium wp-image-160236" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/16152806/imageLikeEmbed_1.max-1000x1000-1-300x185.png" alt="google mcafee phishing cyberattack biden" width="300" height="185"></a><p id="caption-attachment-160236" class="wp-caption-text">Government backed attacker warnings sent in 2020. Credit: Google</p></div> <p>However, researchers said the good news is that there’s increased attention on the threats posed by APTs in the context of the U.S. election. Google for its part said it removed 14 Google accounts that were linked to Ukrainian Parliament member Andrii Derkach shortly after the U.S. Treasury <a href="https://home.treasury.gov/news/press-releases/sm1118" target="_blank" rel="noopener noreferrer">sanctioned</a> Derkach for attempting to influence the U.S. elections.</p> <p>“U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem,” said Google researchers.</p> <p>With the 2020 U.S. Presidential Election just around the corner, cybersecurity concerns are under the spotlight – including worries about <a href="https://threatpost.com/black-hat-voting-machine-vendor-embraces-hackers/158085/" target="_blank" rel="noopener noreferrer">the integrity of voting machines</a>, the expected <a href="https://threatpost.com/black-hat-mail-in-voting-challenges/158075/" target="_blank" rel="noopener noreferrer">expansion of mail-in voting</a> due to COVID-19 <a href="https://threatpost.com/disinformation-spurs-a-thriving-industry-as-u-s-election-loom/158648/" target="_blank" rel="noopener noreferrer">and disinformation campaigns</a>.</p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Biden Campaign Staffers Targeted in Cyberattack Leveraging Antivirus Lure, Dropbox Ploy" data-url="https://threatpost.com/biden-campaign-staffers-targeted-in-cyberattack-leveraging-anti-virus-lure-dropbox-ploy/160234/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/government/">Government</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>