Top cloud storage platforms hijacked to host malware — make sure that Google Drive or Dropbox link is safe

So, instead of seeing the file name as “RFQ-101432620247fl*U+202E*xslx.exe”, the victims will see “RFQ-101432620247flexe.xlsx” and can thus be tricked into thinking they’re opening a spreadsheet file. 

Abusing the cloud

The .ZIP archive comes with a couple of additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive. 

"The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory," the researchers said.

This is not the first time hackers were observed abusing cloud services to host malware, or run malicious campaigns in general.

For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers were abusing this fact to bypass spam protections and get malicious emails to land directly into people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub, and many others. 

In fact, according to Netskope’s report published two years ago, cloud applications were the number one distributor of malware in 2021.  

Securonix dubbed this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.

Via The Hacker News

More from TechRadar Pro

• Cloud apps were the biggest source of malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now