APT Hackers Using Google Drive And OneDrive To Host Malicious Scripts

Threat actors are leveraging cloud storage services like Google Drive, OneDrive, and Dropbox to distribute malware and steal user information by uploading malicious files such as scripts, RAT (Remote Access Trojan) malware, and decoy documents, which can download additional malware or leak sensitive information. 

The attacks involve a chain of files, often starting with a shortcut file (LNK) that retrieves and executes other malicious components stored in the cloud, allowing attackers to easily update the malware and potentially deploy new malicious functionalities. 

EHA
Operation process

A disguised LNK file named “Police Cyber Investigation Bureau—Internet Use History (check now to keep your PC safe).html.lnk” launches a PowerShell script, which decodes a Base64-encoded payload containing PowerShell commands.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The commands are saved as a temporary file (ms_temp_08.ps1) in the user’s TEMP directory, and the script bypasses execution policy restrictions and executes the temporary PowerShell file in a hidden window. 

The list of registered tasks

The malicious script ms_temp_08.ps1 downloads a decoy document named “Police Cyber Investigation Bureau – Internet Use History (check now to keep your PC safe).html” and executes it. 

It then creates a new PowerShell script named ms_update.ps1 in the TEMP folder and registers it to run every 30 minutes using the Task Scheduler.

Additionally, it downloads another file named SoJ****-F.txt and saves it as first.ps1 in the TEMP folder for execution.  

The malicious script “ms_update.ps1” leverages Dropbox to download a secondary script “info.ps1” from the threat actor’s controlled storage, which is disguised as a temporary file (“info.ps1”) within the victim’s system. 

Additionally found decoy document (4)

The analysis by AhnLab SEcurity intelligence Center (ASEC) revealed decoy documents in various formats (HTML, Word, HWP, and PDF) within Dropbox, strategically placed to mask the malicious intent. 

These decoy documents use themes like university cooperation requests, delivery confirmations, and foreign affairs to target specific victims, possibly leveraging social engineering tactics. 

An LNK file downloads two PowerShell scripts (first.ps1 and info.ps1) from the attacker’s cloud storage.

The scripts, named after potential targets, were retrieved from a cloud storage different from the initially suspected Dropbox

Confirmed script file names

Each target seems to have a dedicated folder containing a decoy document and two scripts, which use stolen Dropbox tokens (client_id, client_secret, and refresh_token) for authentication. 

first.ps1 is a malicious PowerShell script that acts like spyware, and when run, it gathers system details including operating system version, security software info, boot time, machine type (laptop/desktop), running processes, and even your PowerShell security settings. 

The malicious PowerShell script “info.ps1(SoJ****-X.txt)” uploads a file to the threat actor’s Dropbox and downloads additional malware from Google Drive, where the uploaded file likely checks for script execution and leaks information if modified. 

Part of XenoRAT’s code

Downloaded malware is disguised as a compressed file and leverages a custom file signature to appear like an RTF document.

Once decompressed, the malware, a C# (.NET) file, is executed in memory using reflection. 

The file system-xn.dat launches XenoRAT malware, allowing remote attackers to control the infected device.

XenoRAT can load other malware, manipulate processes, and communicate with a command-and-control server for further instructions.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo