A new attack effort called CLOUD#REVERSER has been spotted using legitimate cloud storage services such as Google Drive and Dropbox to stage malicious payloads.

“The VBScript and PowerShell scripts in CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

“The scripts are designed to fetch files that match specific patterns, suggesting they are waiting for commands or scripts placed in Google Drive or Dropbox.”

The attack chain begins with a phishing email that includes a ZIP archive file containing an executable disguised as a Microsoft Excel file.

You might be interested: CISA Alerts on GitLab Password Reset Exploit

In an unusual twist, the filename utilizes the hidden right-to-left override (RLO) Unicode character (U+202E) to reverse the order of the characters following that character in the string.

As a result, the filename “RFQ-101432620247flU+202Exslx.exe” appears to the victim as “RFQ-101432620247flexe.xlsx,” leading them to believe they are opening an Excel document.

The executable is designed to drop eight payloads, including a decoy Excel file (“20240416.xlsx”) and a heavily obfuscated Visual Basic (VB) Script (“3156.vbs”) responsible for displaying the XLSX file to the user to maintain the ruse and launching two other scripts named “i4703.vbs” and “i6050.vbs.”

To avoid raising red flags, both scripts establish persistence on the Windows host via a scheduled job that masquerades as a Google Chrome browser update. Nonetheless, the scheduled tasks are programmed to execute two distinct VB scripts named “97468.tmp” and “68904.tmp” every minute.

Each of these scripts is used to launch two different PowerShell scripts: “Tmp912.tmp” and “Tmp703.tmp.” These PowerShell scripts are then employed to log in to an actor-controlled Dropbox and Google Drive account, from which they download two additional PowerShell scripts referred to as “tmpdbx.ps1” and “zz.ps1.”

The VB scripts are configured to execute the newly downloaded PowerShell scripts, retrieving additional files from the cloud services, including binaries that may be executed based on system settings.

According to the investigators, “The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory.”

Because both PowerShell scripts are downloaded in real-time, threat actors can modify them at any time to define which files can be downloaded and executed on the compromised server.

Additionally, another PowerShell script, “68904.tmp,” can download a compressed binary and run it directly from memory to maintain a network connection to the attacker’s command-and-control (C2) server.

The Texas-based cybersecurity firm informed The Hacker News that it is unable to provide information on the campaign’s targets or scale because the investigation is ongoing.

This revelation serves as another indication that threat actors are increasingly exploiting lawful services to avoid detection.

The investigators emphasized, “This approach follows a common thread where threat actors manage to infect and persist on compromised systems while blending into regular background network noise. By embedding malicious scripts within seemingly innocuous cloud platforms, the malware not only ensures sustained access to targeted environments but also utilizes these platforms as conduits for data exfiltration and command execution.”

SOURCE