Top cloud storage platforms hijacked to host malware — make sure that Google Drive or Dropbox link is safe

An abstract image of a cloud raining data.
(Image credit: Pixabay)

A new hacking campaign has been spotted in which the attackers are abusing legitimate cloud storage services to host malicious payloads.

In a research report, Securonix said that the campaign starts with a phishing email containing a .ZIP archive. When unzipped, the archive delivers an executable file that was made to look like an Excel file. The file uses a hidden left-to-right override (RLO) Unicode character, reversing the order of the characters that follow.

So, instead of seeing the file name as “RFQ-101432620247fl*U+202E*xslx.exe”, the victims will see “RFQ-101432620247flexe.xlsx” and can thus be tricked into thinking they’re opening a spreadsheet file. 

Abusing the cloud

The .ZIP archive comes with a couple of additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive. 

"The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory," the researchers said.

This is not the first time hackers were observed abusing cloud services to host malware, or run malicious campaigns in general.

For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers were abusing this fact to bypass spam protections and get malicious emails to land directly into people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub, and many others. 

In fact, according to Netskope’s report published two years ago, cloud applications were the number one distributor of malware in 2021.  

Securonix dubbed this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.