Heimdal
article featured image

Contents:

Researchers discovered that malicious actors launched a new malware campaign dubbed CLOUD#REVERSER. The infection chain uses notorious cloud storage services like Google Drive and Dropbox to deploy the malware.

By updating operating scripts and retrieving commands from a remote server, the malware can steal data and perform remote code execution. For that it uses VBScript and PowerShell scripts that are repeated via Windows scheduled tasks.

As the malicious code embeds itself within the storage platform, hackers gain persistence into their victim’s system.

The CLOUD#REVERSER infection chain

Hackers use phishing emails for initial access. They trick their victims to download a zip archive attachment that looks like a Microsoft Office Excel file icon.

The malicious actors use a classic right to left override character technique to make the executable file (.exe) look like an Excel document (.xlsx).

After the victim double-clicks the malicious attachment, the malware installs VBScripts and a lure file, into the C:\ProgramData directory. After that, it runs the first VBScript – 3156.vbs – to obtain persistence.

Researchers were able to identify two VBScripts:

  • 97468. tmp
  • 68904. tmp

Both scripts use Schtasks for execution. Their goal is to launch PowerShell commands to execute other hidden PowerShell scripts:

  • Tmp912. tmp
  • Tmp703. tmp

These last two scripts connect to Dropbox and Google Drive accounts that the hackers control. Also, they download another two PowerShell scripts:

  • tmpdbx. ps1
  • zz. ps1

Both of these PowerShell scripts can self-update, by deleting and redownloading every time the scheduled task executes. This makes it even harder for security software to detect the threat.

Researchers revealed that zz.ps1 can

download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory

Source – The Hacker News

How to avoid a CLOUD#REVERSER attack

Like many other cyber-attacks, CLOUD#REVERSER starts with one click on a wrong email. Educating employees to identify phishing emails in the malicious generative AI era is a must.

But you must be aware that people make mistakes. The best bet against phishing attacks is using a DNS filtering solution that will detect and block malicious communication on the spot.

Click here to see how would such a tool work for you.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE