The cyber security firm CyberX calls it Operation BugDrop because the malware eavesdrops by controlling microphones — bugging its targets — and uses Dropbox to store the data that it steals.
In a blog post, the company said it had confirmed that at least 70 people, from various sectors like critical infrastructure, media and scientific research, had fallen victim to the malware that was carrying out the cyber surveillance.
While malware that takes over video cameras on PCs or laptops can be blocked by placing a piece of tape over the camera, the microphone on a PC or laptop requires dismantling to disable.
CyberX said most of the targets had been in Ukraine but there were smaller numbers in Russia, Saudi Arabia and Austria.
"Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organisations by the Ukrainian government," the company wrote.
It said that the operation appeared to be well-funded as there would be considerable infrastructure needed at the back-end to store, decrypt and analyse the gigabytes of unstructured data that were being captured each day.
The CyberX team said the operation had some similarities to one discovered by anti-virus firm ESET in May last year which was christened Operation Groundbait. But, on closer examination, they had found that Operation BugDrop was more sophisticated.
For one, the use of Dropbox was clever because Dropbox traffic would not be normally blocked by firewalls in corporate set-ups.
Secondly, the use of reflective DLL injection, the same technique as used in the attacks on the Ukrainian power grid and by Duqu in the Stuxnet attacks indicated that those creating the malware were experienced hands.
"Reflective DLL Injection loads malicious code without the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory," CyberX pointed out.
Thirdly, the DLLs were encrypted and hence avoided being detected by common anti-virus and sandboxing systems which are unable to analyse encrypted files.
And finally, the BugDrop operation used legitimate free Web hosting sites for its command-and-control infrastructure.