Malware Supply through Cloud Companies Exploits Unicode Trick to Deceive Customers

Might 21, 2024NewsroomCloud Security / Information Safety

A brand new assault marketing campaign dubbed CLOUD#REVERSER has been noticed leveraging legit cloud storage companies like Google Drive and Dropbox to stage malicious payloads.

“The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.

“The scripts are designed to fetch files that match specific patterns, suggesting they are waiting for commands or scripts placed in Google Drive or Dropbox.”

The start line of the assault chain is a phishing e mail bearing a ZIP archive file, which incorporates an executable that masquerades as a Microsoft Excel file.

Cybersecurity

In an attention-grabbing twist, the filename makes use of the hidden right-to-left override (RLO) Unicode character (U+202E) to reverse the order of the characters that come after that character within the string.

In consequence, the filename “RFQ-101432620247fl*U+202E*xslx.exe” is exhibited to the sufferer as “RFQ-101432620247flexe.xlsx,” thus deceiving them into considering that they’re opening an Excel doc.

The executable is designed to drop a complete of eight payloads, together with a decoy Excel file (“20240416.xlsx”) and a closely obfuscated Visible Primary (VB) Script (“3156.vbs”) that is accountable for displaying the XLSX file to the person to take care of the ruse and launch two different scripts named “i4703.vbs” and “i6050.vbs.”

Malware Delivery via Cloud Services

Each scripts are used to arrange persistence on the Home windows host via a scheduled job by masquerading them as a Google Chrome browser replace job to keep away from elevating purple flags. That mentioned, the scheduled duties are orchestrated to run two distinctive VB scripts known as “97468.tmp” and “68904.tmp” each minute.

Every of those scripts, in flip, is employed to run two completely different PowerShell scripts “Tmp912.tmp” and “Tmp703.tmp,” that are used to connect with an actor-controlled Dropbox and Google Drive account and obtain two extra PowerShell scripts known as “tmpdbx.ps1” and “zz.ps1”

The VB scripts are then configured to run the newly downloaded PowerShell scripts and fetch extra recordsdata from the cloud companies, together with binaries that may very well be executed relying on the system insurance policies.

“The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory,” the researchers mentioned.

The truth that each the PowerShell scripts are downloaded on-the-fly means they may very well be modified by the menace actors at will to specify the recordsdata that may be downloaded and executed on the compromised host.

Cybersecurity

Additionally downloaded through 68904.tmp is one other PowerShell script that is able to downloading a compressed binary and operating it straight from reminiscence with a view to preserve community connection to the attacker’s command-and-control (C2) server.

The Texas-based cybersecurity agency advised The Hacker Information that it is unable to supply details about the targets and the size of the marketing campaign owing to the truth that the investigation continues to be in progress.

The event is as soon as once more an indication that menace actors are more and more misusing legit companies to their benefit and fly beneath the radar.

“This approach follows a common thread where threat actors manage to infect and persist onto compromised systems while maintaining to blend into regular background network noise,” the researchers mentioned.

“By embedding malicious scripts within seemingly innocuous cloud platforms, the malware not only ensures sustained access to targeted environments but also utilizes these platforms as conduits for data exfiltration and command execution.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Recent articles

Grasp Certificates Administration: Be part of This Webinar on Crypto Agility and Finest Practices

Nov 15, 2024The Hacker InformationWebinar / Cyber Security Within the...

9 Worthwhile Product Launch Templates for Busy Leaders

Launching a product doesn’t should really feel like blindly...

How Runtime Insights Assist with Container Safety

Containers are a key constructing block for cloud workloads,...