A new attack effort called CLOUD#REVERSER has been spotted using legitimate cloud storage services such as Google Drive and Dropbox to stage malicious payloads.
“The VBScript and PowerShell scripts in CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
“The scripts are designed to fetch files that match specific patterns, suggesting they are waiting for commands or scripts placed in Google Drive or Dropbox.”
The attack chain begins with a phishing email that includes a ZIP archive file containing an executable disguised as a Microsoft Excel file.
You might be interested: CISA Alerts on GitLab Password Reset Exploit
In an unusual twist, the filename utilizes the hidden right-to-left override (RLO) Unicode character (U+202E) to reverse the order of the characters following that character in the string.
As a result, the filename “RFQ-101432620247flU+202Exslx.exe” appears to the victim as “RFQ-101432620247flexe.xlsx,” leading them to believe they are opening an Excel document.
The executable is designed to drop eight payloads, including a decoy Excel file (“20240416.xlsx”) and a heavily obfuscated Visual Basic (VB) Script (“3156.vbs”) responsible for displaying the XLSX file to the user to maintain the ruse and launching two other scripts named “i4703.vbs” and “i6050.vbs.”
To avoid raising red flags, both scripts establish persistence on the Windows host via a scheduled job that masquerades as a Google Chrome browser update. Nonetheless, the scheduled tasks are programmed to execute two distinct VB scripts named “97468.tmp” and “68904.tmp” every minute.
Each of these scripts is used to launch two different PowerShell scripts: “Tmp912.tmp” and “Tmp703.tmp.” These PowerShell scripts are then employed to log in to an actor-controlled Dropbox and Google Drive account, from which they download two additional PowerShell scripts referred to as “tmpdbx.ps1” and “zz.ps1.”
The VB scripts are configured to execute the newly downloaded PowerShell scripts, retrieving additional files from the cloud services, including binaries that may be executed based on system settings.
According to the investigators, “The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory.”
Because both PowerShell scripts are downloaded in real-time, threat actors can modify them at any time to define which files can be downloaded and executed on the compromised server.
Additionally, another PowerShell script, “68904.tmp,” can download a compressed binary and run it directly from memory to maintain a network connection to the attacker’s command-and-control (C2) server.
The Texas-based cybersecurity firm informed The Hacker News that it is unable to provide information on the campaign’s targets or scale because the investigation is ongoing.
This revelation serves as another indication that threat actors are increasingly exploiting lawful services to avoid detection.
The investigators emphasized, “This approach follows a common thread where threat actors manage to infect and persist on compromised systems while blending into regular background network noise. By embedding malicious scripts within seemingly innocuous cloud platforms, the malware not only ensures sustained access to targeted environments but also utilizes these platforms as conduits for data exfiltration and command execution.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.