Top cloud storage platforms hijacked to host malware — make sure that Google Drive or Dropbox link is safe

Hackers are hosting malicious scripts on Google Drive and Dropbox

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new hacking campaign has been spotted in which the attackers are abusing legitimate cloud storage services to host malicious payloads.

In aresearch report, Securonix said that the campaign starts with a phishing email containing a .ZIP archive. When unzipped, the archive delivers an executable file that was made to look like an Excel file. The file uses a hidden left-to-right override (RLO) Unicode character, reversing the order of the characters that follow.

So, instead of seeing the file name as “RFQ-101432620247flU+202Exslx.exe”, the victims will see “RFQ-101432620247flexe.xlsx” and can thus be tricked into thinking they’re opening a spreadsheet file.

Abusing the cloud

The .ZIP archive comes with a couple of additional scripts to make the entire campaign seem more authentic, but the main .exe file will trigger a multi-stage deployment action that concludes with two PowerShell scripts hosted on Dropbox andGoogleDrive.

“The late-stage PowerShell script zz.ps1 has functionality to download files from Google Drive based on specific criteria and save them to a specified path on the local system inside the ProgramData directory,” the researchers said.

This is not the first time hackers were observed abusing cloud services to host malware, or run malicious campaigns in general.

For example, Google Docs, Google’s cloud-based word processor, has the ability to share files with other people via email, using Google’s infrastructure. Hackers were abusing this fact to bypass spam protections and get malicious emails to land directly into people’s inboxes. Other services, such as DocuSign, Sharepoint, GitHub, and many others.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In fact, according to Netskope’s report published two years ago, cloud applications were the number one distributor of malware in 2021.

Securonix dubbed this latest campaign CLOUD#REVERSER. We don’t know how many victims it affects.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics