Operation BugDrop hackers use Word documents

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Give it a try. You can unsubscribe at any time.

CyberX Labs has identified Operation BugDrop, which uses Word document to attack targeted businesses and steal corporate information.

They send emails to the business they want to raid that trick people into enabling macros.

Opening the hacked document displays the Security Warning and ‘Enable Content’ button are real; created by Word.

But the sincere looking notice with MS Office logo in the document is totally fake.

Source: CyberX Labs

The fake message says in Russian

Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document.

This is b*llsh#t, pure and simple.  There’s no need to enable macros to open documents made in different versions of Office.  Word, Excel and Powerpoint can open older and newer documents without the need for macros.

If you ever see a document with some type of ‘Microsoft Office’ message in the document contents, close it immediately.  It’s a sure sign of a hacked document that you and your computer want no part of.

What Operation BugDrop does

Once they’ve infected one computer, the virus spreads across the corporate network.

The virus grabs gigabytes of data from the company each day and sends it to the hackers.

It’s grabbing documents, passwords, screen shots.

Microphones on!

Even audio recordings are made by switching on a computer microphone.  Conversations are secretly recorded and sent out to the hackers.


As CyberX Labs note, it must be a sophisticated operation to go through the large amount of stolen data to find useful information.

Operation BugDrop seems to originate in Russia and is targeting mostly Ukrainian businesses including key infrastructure, human rights bodies and the media.  Over 70 organizations have been targeted so far.

It’s started with the Ukraine but the same techniques are already being used in other countries and businesses.


One clever trick in the attack is using Dropbox as the outgoing gateway for stolen data.  Dropbox is so commonly used that most organizations don’t block it.  A large data transfer to Dropbox is less likely to arose suspicion.

Other tricks are bypassing standard Windows API calls which avoids security verifications built into Windows.  The key DLL’s are encrypted to prevent anti-virus scans from identifying the contents.


Want More?

Office Watch has the latest news and tips about Microsoft Office.  Delivered once a week.