Cloudy with a Chance of Malware: Unpacking the CLOUD#REVERSER Attack via Google Drive & Dropbox

Beware the CLOUD#REVERSER scheme—cyber crooks are sneakily using Google Drive and Dropbox, disguising deadly payloads as dull docs. Got a weirdly reversed filename? Think twice before you click, lest you invite these digital tricksters for an unwanted hard drive havoc party! #CyberSecurityShenanigans

Hot Take:

Oh, look, hackers are getting cloud-savvy with their latest fashion trend, CLOUD#REVERSER! They’re now using our beloved Google Drive and Dropbox to play hide-and-seek with malicious goodies. Who knew cloud storage could double as a hacker’s walk-in closet for malware accessories?

Key Points:

  • CLOUD#REVERSER campaign uses legitimate cloud services as a stage for their malicious scripts, starring Google Drive and Dropbox in supporting roles.
  • The opening act is a phishing email with a ZIP file that drops an executable masquerading as an Excel file, thanks to a Unicode character costume change.
  • The executable’s entourage includes eight payloads that set up shop on the victim’s computer and call forth scripts from their cloud hideouts every minute.
  • These scripts have the special talent of downloading and executing files from the cloud, with a potential for on-the-fly modifications by the threat actors.
  • Securonix, the cybersecurity firm behind the curtain, says the show’s still on, and the full extent of the audience (targets) is yet to be determined.

Need to know more?

Phishing Email: The Trojan Horse's New Groove

The grand entrance of our cyber-nemesis begins with a phishing email, sneaking in a ZIP file that's all dressed up as an Excel file. But wait, there's a twist! The filename uses a special Unicode character to strut backwards down the runway, fooling victims into a false sense of document-opening security. Classic bait-and-switch, darling.

Eight Is Enough: The Payload Party

Upon unleashing the ZIP file, an ensemble cast of eight payloads take the stage. There's a decoy Excel file for the smoke and mirrors show, while a VBScript works behind the scenes to keep the illusion alive. The real stars, however, are two scripts playing dress-up as Google Chrome updates to crash at your system's place indefinitely. Talk about persistence!

Cloud Couture: High Fashion in Hacking

These scripts don't stop at just living rent-free on your computer. They're high-maintenance, demanding fresh PowerShell scripts delivered every minute from their cloud penthouses. And because they're divas, they expect the ability to change their demands whenever they please. The late-stage PowerShell script, zz.ps1, even has a personal shopper to download files based on its picky preferences.

Memory Runway: The Invisible Performance

But wait, there's more! Another PowerShell script sneaks into the memory, avoiding the hard drive entirely, to strut its stuff directly from RAM. This way, it can phone home to the C2 server without leaving a trace. It's like a flash mob performance in your system's memory – here one minute, gone the next.

Securonix Spills the Tea

The Texas-based cybersecurity firm Securonix is like the gossip columnist of the cyber world, but this time, they're keeping the guest list under wraps. The scale of this cloud-based masquerade ball is still unknown, as they're probably still tallying up the RSVPs. What's clear is that hackers love to crash the cloud party, blending in with the ordinary data crowd to avoid the bouncers (security software).

In summary, CLOUD#REVERSER is the latest cybercrime collection, featuring cloud services as the runway for a malware fashion show. It's a reminder that in the digital world, even the fluffiest clouds can cast a shadowy threat. Stay vigilant, or you might just find your system strutting down the catwalk in the latest malware ensemble, without even knowing it's in the show!

Tags: cloud storage services, Command-and-Control, Data Exfiltration, legitimate service misuse, malware payload staging, phishing attacks, PowerShell and VBScript