Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Top cloud storage platforms hijacked to host malware — make sure that Google Drive or Dropbox link is safe

An abstract image of a cloud raining data.

A new hacking campaign has been spotted in which the attackers are abusing legitimate cloud storage services to host malicious payloads.

In a research report, Securonix said that the campaign starts with a phishing email containing a .ZIP archive. When unzipped, the archive delivers an executable file that was made to look like an Excel file. The file uses a hidden left-to-right override (RLO) Unicode character, reversing the order of the characters that follow.

So, instead of seeing the file name as “RFQ-101432620247fl*U+202E*xslx.exe”, the victims will see “RFQ-101432620247flexe.xlsx” and can thus be tricked into thinking they’re opening a spreadsheet file. 

Abusing the cloud

The .ZIP archive comes with a couple of additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox and Google Drive. 

"The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory," the researchers said.

This is not the first time hackers were observed abusing cloud services to host malware, or run malicious campaigns in general.

For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers were abusing this fact to bypass spam protections and get malicious emails to land directly into people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub, and many others. 

In fact, according to Netskope’s report published two years ago, cloud applications were the number one distributor of malware in 2021.  

Securonix dubbed this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.