A new hacking campaign has been spotted in which the attackers are abusing legitimate cloud storage services to host malicious payloads.
In a research report, Securonix said that the campaign starts with a phishing email containing a .ZIP archive. When unzipped, the archive delivers an executable file that was made to look like an Excel file. The file uses a hidden left-to-right override (RLO) Unicode character, reversing the order of the characters that follow.
So, instead of seeing the file name as “RFQ-101432620247fl*U+202E*xslx.exe”, the victims will see “RFQ-101432620247flexe.xlsx” and can thus be tricked into thinking they’re opening a spreadsheet file.
Abusing the cloud
The .ZIP archive comes with a couple of additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive.
“The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory,” the researchers said.
This is not the first time hackers were observed abusing cloud services to host malware, or run malicious campaigns in general.
For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers were abusing this fact to bypass spam protections and get malicious emails to land directly into people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub, and many others.
In fact, according to Netskope’s report published two years ago, cloud applications were the number one distributor of malware in 2021.
Securonix dubbed this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.
Via The Hacker News
+ There are no comments
Add yours