Cybersecurity researchers at Securonix recently observed a new hacking campaign in which attackers abuse legitimate cloud storage services to host malicious payloads.
In an investigative report published earlier this week (via The Hacker News), Securonix said the campaign begins with a phishing email containing a .ZIP file. When unzipped, the file delivers an executable file that looks like an Excel file. The file uses a hidden left-to-right override (RLO) Unicode character, reversing the order of subsequent characters.
So, instead of seeing the file name as “RFQ-101432620247fl*U+202E*xslx.exe”, victims will see “RFQ-101432620247flexe.xlsx” and can therefore be tricked into believing that they are opening a spreadsheet file.
Abusing the cloud
The .ZIP file comes with a couple of additional scripts to make the entire campaign look more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive.
“The late-stage PowerShell script zz.ps1 has the functionality to download files from Google Drive based on specific criteria and save them to a specific path on the local system within the ProgramData directory,” the researchers said.
This is not the first time hackers have been seen abusing cloud services to host malware or run malicious campaigns in general.
For example, Google Docs, Google's cloud-based word processor, has the ability to share files with others via email, using Google's infrastructure. Hackers abused this to bypass spam protections and get malicious emails directly into people's inboxes. Other services, such as DocuSign, Sharepoint, GitHub and many others.
In fact, according to the Netskope report published two years ago, cloud applications were the main distributor of malware in 2021.
Securonix called this latest campaign CLOUD#REVERSER. We don't know how many victims it affects.
