A brand new assault marketing campaign dubbed CLOUD#REVERSER has been noticed leveraging legit cloud storage companies like Google Drive and Dropbox to stage malicious payloads.
“The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
“The scripts are designed to fetch files that match specific patterns, suggesting they are waiting for commands or scripts placed in Google Drive or Dropbox.”
The start line of the assault chain is a phishing e mail bearing a ZIP archive file, which incorporates an executable that masquerades as a Microsoft Excel file.
In an attention-grabbing twist, the filename makes use of the hidden right-to-left override (RLO) Unicode character (U+202E) to reverse the order of the characters that come after that character within the string.
In consequence, the filename “RFQ-101432620247fl*U+202E*xslx.exe” is exhibited to the sufferer as “RFQ-101432620247flexe.xlsx,” thus deceiving them into considering that they’re opening an Excel doc.
The executable is designed to drop a complete of eight payloads, together with a decoy Excel file (“20240416.xlsx”) and a closely obfuscated Visible Primary (VB) Script (“3156.vbs”) that is accountable for displaying the XLSX file to the person to take care of the ruse and launch two different scripts named “i4703.vbs” and “i6050.vbs.”
Each scripts are used to arrange persistence on the Home windows host via a scheduled job by masquerading them as a Google Chrome browser replace job to keep away from elevating purple flags. That mentioned, the scheduled duties are orchestrated to run two distinctive VB scripts known as “97468.tmp” and “68904.tmp” each minute.
Every of those scripts, in flip, is employed to run two completely different PowerShell scripts “Tmp912.tmp” and “Tmp703.tmp,” that are used to connect with an actor-controlled Dropbox and Google Drive account and obtain two extra PowerShell scripts known as “tmpdbx.ps1” and “zz.ps1”
The VB scripts are then configured to run the newly downloaded PowerShell scripts and fetch extra recordsdata from the cloud companies, together with binaries that may very well be executed relying on the system insurance policies.
“The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory,” the researchers mentioned.
The truth that each the PowerShell scripts are downloaded on-the-fly means they may very well be modified by the menace actors at will to specify the recordsdata that may be downloaded and executed on the compromised host.
Additionally downloaded through 68904.tmp is one other PowerShell script that is able to downloading a compressed binary and operating it straight from reminiscence with a view to preserve community connection to the attacker’s command-and-control (C2) server.
The Texas-based cybersecurity agency advised The Hacker Information that it is unable to supply details about the targets and the size of the marketing campaign owing to the truth that the investigation continues to be in progress.
The event is as soon as once more an indication that menace actors are more and more misusing legit companies to their benefit and fly beneath the radar.
“This approach follows a common thread where threat actors manage to infect and persist onto compromised systems while maintaining to blend into regular background network noise,” the researchers mentioned.
“By embedding malicious scripts within seemingly innocuous cloud platforms, the malware not only ensures sustained access to targeted environments but also utilizes these platforms as conduits for data exfiltration and command execution.”