CLOUD#REVERSER A Stealthy Campaign Turns Cloud Storage Hostile

A newly discovered attack campaign, named CLOUD#REVERSER, leverages cloud storage services like Google Drive and Dropbox to deploy and manage malicious payloads. Researchers at Securonix have found that this campaign uses these platforms to stage malware and exfiltrate data, blending into normal network activity to evade detection. The primary objective of CLOUD#REVERSER is to maintain persistent access to compromised systems and facilitate data theft. This is achieved by disguising its malicious activities within legitimate cloud service traffic, which allows the threat actors to dynamically fetch executable commands and update operational scripts remotely, using VBScripts and PowerShell scripts.

The initial phase of the CLOUD#REVERSER campaign, as reported by Securonix researchers Den Iuzvyk, Oleg Kolesnikov, and Tim Peck, begins with a phishing email that delivers a ZIP file to the victim. This ZIP file contains an executable disguised as an Excel file, indicated by a double-file extension. Once executed, this file drops several items, including tmp files, PowerShell scripts, and VBScripts into the C:\ProgramData\ directory, leveraging its writable permissions. "Each file saved to the disk originates directly from the binary payload. This payload is embedded within the executable as variables encoded using XOR, effectively concealing its plain-text string values," the Securonix researchers note.

Following the initial breach, two VBScripts, 3156.vbs and i4703.vbs, are executed early in the attack chain. The first script, 3156.vbs, uses the Windows Script Host to launch other scripts and the decoy Excel file, then cleans up after itself to minimize detection. Subsequently, i4703.vbs establishes a scheduled task that masquerades as a Google Chrome update task to ensure persistence, executing every minute to maintain the attacker's foothold. As the attack progresses, additional VBScripts are executed through scheduled tasks, which in turn run PowerShell scripts that connect to Dropbox and Google Drive. These scripts define parameters needed to interface with the DropBox API, enable actions such as the download of additional PowerShell scripts, which can then utilized to fetch and execute additional commands or binaries directly from memory. This approach allows the attackers to update their functionality dynamically and maintain a stealthy presence on the system.

The CLOUD#REVERSER campaign is a clear example of how cyber threat actors exploit legitimate cloud services to conduct their operations discreetly. By using cloud storage as both a staging area and command center, these actors can continuously adapt their tactics and payloads. Securonix's tracking of CLOUD#REVERSER follows a March 2024 report on a campaign dubbed DEEP#GOSU. This campaign, attributed to the North Korean threat group Kimsuky, was also observed using Dropbox and Google Docs to mask command and control (C2) communications. While no specific attribution was given for the CLOUD#REVERSER campaign, both campaigns offer insights into notable attack behaviors, emphasizing the importance of monitoring specific process executions and behaviors tied to VBScript and PowerShell activities, along with