The malicious CLOUD # REVERSER operation exploits legitimate cloud services to bypass detection.
Securonix researchers have discovered a new cyberattack campaign called CLOUD # REVERSER. In this operation, attackers use legitimate cloud services, such as Google Drive and Dropbox, to place malicious files there.
"VBScript and PowerShell scripts within CLOUD#REVERSER perform C2 actions using Google Drive and Dropbox as platforms for managing file uploads and downloads," researchers Den Iuzvik, Tim Peck, and Oleg Kolesnikov reported in their report.
The attack starts with a phishing email that contains a ZIP archive with an executable file disguised as Microsoft Excel. Not only does this file use an Excel logo icon, but the file name also has a hidden Unicode character (U+202E) that reverses the order of the next characters in the string, tricking the user into thinking that they are opening an Excel file.
For example, the executable file considered in the campaign is "RFQ-101432620247fl[U+202E]xslx.exe" displayed in the victim's system as "RFQ-101432620247fl exe.xlsx".
During the attack, the executable runs eight malicious workloads, including a fake Excel file and a heavily obfuscated Visual Basic script that opens the Excel file and runs two other scripts.
Both scripts create a permanent presence on the victim's computer, using a task in the Windows Scheduler, masquerading as updating the Google Chrome browser. These tasks run unique VB scripts every 60 seconds.
Each of these scripts runs two PowerShell scripts that connect to the attackers ' managed Dropbox and Google Drive accounts to download additional scripts.
These scripts then run the downloaded PowerShell scripts and download additional files from cloud services, including executable files depending on the system settings.
The latest PowerShell script downloads files from Google Drive to the local system in the ProgramData directory, executing them depending on the criteria set by the attackers.
Also, a PowerShell script is loaded via "68904. tmp", which can execute a compressed binary file directly from memory, supporting connection to the command management server.
"This approach allows attackers to remain undetected by embedding malicious scripts in conventional cloud platforms, providing constant access to target systems, and using these platforms to exfiltrate data and execute commands," the researchers concluded.
Securonix researchers said that they are not yet able to provide information about the goals and scope of the campaign, as the investigation is still ongoing.
This incident highlights the tendency of attackers to use legitimate services for covert attacks and demonstrates their ability to adapt, using methods and techniques that even experienced specialists may not be aware of.
All this requires users and companies to pay increased attention to security and the need to regularly update their systems and refresh technical knowledge to protect against such cyber threats.
Securonix researchers have discovered a new cyberattack campaign called CLOUD # REVERSER. In this operation, attackers use legitimate cloud services, such as Google Drive and Dropbox, to place malicious files there.
"VBScript and PowerShell scripts within CLOUD#REVERSER perform C2 actions using Google Drive and Dropbox as platforms for managing file uploads and downloads," researchers Den Iuzvik, Tim Peck, and Oleg Kolesnikov reported in their report.
The attack starts with a phishing email that contains a ZIP archive with an executable file disguised as Microsoft Excel. Not only does this file use an Excel logo icon, but the file name also has a hidden Unicode character (U+202E) that reverses the order of the next characters in the string, tricking the user into thinking that they are opening an Excel file.
For example, the executable file considered in the campaign is "RFQ-101432620247fl[U+202E]xslx.exe" displayed in the victim's system as "RFQ-101432620247fl exe.xlsx".
During the attack, the executable runs eight malicious workloads, including a fake Excel file and a heavily obfuscated Visual Basic script that opens the Excel file and runs two other scripts.
Both scripts create a permanent presence on the victim's computer, using a task in the Windows Scheduler, masquerading as updating the Google Chrome browser. These tasks run unique VB scripts every 60 seconds.
Each of these scripts runs two PowerShell scripts that connect to the attackers ' managed Dropbox and Google Drive accounts to download additional scripts.
These scripts then run the downloaded PowerShell scripts and download additional files from cloud services, including executable files depending on the system settings.
The latest PowerShell script downloads files from Google Drive to the local system in the ProgramData directory, executing them depending on the criteria set by the attackers.
Also, a PowerShell script is loaded via "68904. tmp", which can execute a compressed binary file directly from memory, supporting connection to the command management server.
"This approach allows attackers to remain undetected by embedding malicious scripts in conventional cloud platforms, providing constant access to target systems, and using these platforms to exfiltrate data and execute commands," the researchers concluded.
Securonix researchers said that they are not yet able to provide information about the goals and scope of the campaign, as the investigation is still ongoing.
This incident highlights the tendency of attackers to use legitimate services for covert attacks and demonstrates their ability to adapt, using methods and techniques that even experienced specialists may not be aware of.
All this requires users and companies to pay increased attention to security and the need to regularly update their systems and refresh technical knowledge to protect against such cyber threats.
