Contents:
Researchers discovered that malicious actors launched a new malware campaign dubbed CLOUD#REVERSER. The infection chain uses notorious cloud storage services like Google Drive and Dropbox to deploy the malware.
By updating operating scripts and retrieving commands from a remote server, the malware can steal data and perform remote code execution. For that it uses VBScript and PowerShell scripts that are repeated via Windows scheduled tasks.
As the malicious code embeds itself within the storage platform, hackers gain persistence into their victim’s system.
The CLOUD#REVERSER infection chain
Hackers use phishing emails for initial access. They trick their victims to download a zip archive attachment that looks like a Microsoft Office Excel file icon.
The malicious actors use a classic right to left override character technique to make the executable file (.exe) look like an Excel document (.xlsx).
After the victim double-clicks the malicious attachment, the malware installs VBScripts and a lure file, into the C:\ProgramData directory. After that, it runs the first VBScript – 3156.vbs – to obtain persistence.
Researchers were able to identify two VBScripts:
- 97468. tmp
- 68904. tmp
Both scripts use Schtasks for execution. Their goal is to launch PowerShell commands to execute other hidden PowerShell scripts:
- Tmp912. tmp
- Tmp703. tmp
These last two scripts connect to Dropbox and Google Drive accounts that the hackers control. Also, they download another two PowerShell scripts:
- tmpdbx. ps1
- zz. ps1
Both of these PowerShell scripts can self-update, by deleting and redownloading every time the scheduled task executes. This makes it even harder for security software to detect the threat.
Researchers revealed that zz.ps1 can
download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory
Source – The Hacker News
How to avoid a CLOUD#REVERSER attack
Like many other cyber-attacks, CLOUD#REVERSER starts with one click on a wrong email. Educating employees to identify phishing emails in the malicious generative AI era is a must.
But you must be aware that people make mistakes. The best bet against phishing attacks is using a DNS filtering solution that will detect and block malicious communication on the spot.
Click here to see how would such a tool work for you.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;