A recent attack campaign named CLOUD#REVERSER has emerged, utilizing popular cloud storage services like Google Drive and Dropbox to host malicious payloads. This campaign begins with a phishing email containing an executable file disguised as a Microsoft Excel document. Upon execution, the malware deploys VBScript and PowerShell scripts to establish persistence and fetch additional malware from the cloud services.
The deceptive nature of the attack is highlighted by the use of hidden Unicode characters in filenames, making them appear legitimate to unsuspecting users. These scripts masquerade as routine tasks, such as Google Chrome updates, to evade detection. Once established, the scripts connect to actor-controlled accounts on Google Drive and Dropbox to download further PowerShell scripts, enabling the execution of additional malware on compromised systems.
Securonix researchers emphasize the sophisticated nature of this attack, which demonstrates a growing trend among threat actors to leverage legitimate services to evade detection. By embedding malicious scripts within seemingly innocuous cloud platforms, the attackers ensure prolonged access to compromised systems while maintaining a low profile. This approach underscores the importance of robust cybersecurity measures to detect and mitigate such advanced threats effectively.
