HomeCyber BalkansCloud-Based Malware Attack Exploiting Google Drive & Dropbox

Cloud-Based Malware Attack Exploiting Google Drive & Dropbox

Published on

spot_img

Cybersecurity researchers have recently uncovered a sophisticated phishing email campaign that targets unsuspecting users by disguising a malicious executable as an Excel file. The attackers behind this campaign employ various obfuscation techniques to evade detection and compromise systems.

The attack begins with a phishing email containing a zip attachment that appears to be a harmless Excel spreadsheet. However, the zip file actually contains a single executable file disguised using Left-To-Right Override characters (LTRO) to make it look like an Excel file. When users open the attachment, they unknowingly launch the malware, believing it to be a legitimate document.

The malicious executable, a small file compiled with Visual Studio 2015, heavily utilizes XOR encoding to obfuscate its strings and embedded files. This encryption makes it difficult for security analysts to conduct static analysis and identify the true nature of the payload. Additionally, the executable drops VBScript payloads along with a legitimate Excel file, further adding to the deception.

Upon execution, the malware dropper writes several files to the C:\ProgramData directory, a common location for malware due to its hidden nature and write permissions. These files, including 20240416.xlsx and 3156.vbs, are encoded with XOR to hide their content, making it challenging to analyze them.

The attack involves a multi-stage process that transitions from binary execution to a VBScript stage. The core malicious functionality lies in the VBScript execution, which creates scheduled tasks disguised as legitimate system processes to achieve persistence on the infected system. The script also downloads additional malicious payloads and creates temporary VBScript files to bypass execution policies and run PowerShell scripts using various obfuscated techniques.

The attackers leverage scheduled tasks and VBScripts to execute PowerShell scripts every minute, facilitating the download of additional malicious files from Dropbox and Google Drive. The PowerShell scripts are designed to download compressed binaries and execute them in memory to establish a connection with the attackers’ command and control (C2) server at a predefined IP and port.

This sophisticated attack highlights the evolving tactics used by cybercriminals to evade detection and compromise systems. Organizations and users are advised to remain vigilant against phishing emails and ensure that they have robust cybersecurity measures in place to protect against such threats.

In conclusion, the phishing email campaign that disguises a malicious executable as an Excel file is a stark reminder of the ongoing cybersecurity threats faced by individuals and organizations. By employing advanced obfuscation techniques and multi-stage attacks, cybercriminals continue to evolve their tactics to bypass security defenses and carry out malicious activities. It is essential for users to stay informed about these threats and take proactive steps to protect their systems and data from such attacks.

Source link

Latest articles

Researcher Discovers Ninth Windows Zero-Day Vulnerability

LegacyHive: An Emerging Local Privilege Escalation Vulnerability In a recent turn of events in the...

Proton Introduces Business Continuity Service to Ensure Communication During Outages

Swiss encrypted communications provider Proton has recently introduced a dedicated business continuity service aimed...

Surge in Compromised Logins Becomes the Primary Entry Point for Ransomware

Identity-Based Attacks: A Growing Threat in Cybersecurity Identity-based attacks and the exploitation of compromised credentials...

US Launches AI-Powered Gold Eagle Cybersecurity Group

White House Establishes Gold Eagle: A New Initiative in Cybersecurity Collaboration In a significant move...

More like this

Researcher Discovers Ninth Windows Zero-Day Vulnerability

LegacyHive: An Emerging Local Privilege Escalation Vulnerability In a recent turn of events in the...

Proton Introduces Business Continuity Service to Ensure Communication During Outages

Swiss encrypted communications provider Proton has recently introduced a dedicated business continuity service aimed...

Surge in Compromised Logins Becomes the Primary Entry Point for Ransomware

Identity-Based Attacks: A Growing Threat in Cybersecurity Identity-based attacks and the exploitation of compromised credentials...