Threat Research

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix

Securonix Threat Research uncovered CLOUD#REVERSER, a multi-stage cloud-based malware campaign that leverages Google Drive and Dropbox to stage payloads, exfiltrate data, and maintain persistence. The attack flows through VBScript and PowerShell stages, uses scheduled tasks for execution, and even executes code in memory to contact a remote C2 server. #CLOUD_REVERSER #DEEPGOSU #Dropbox #GoogleDrive #VBScript #PowerShell

Keypoints

  • The CLOUD#REVERSER campaign uses legitimate cloud services (Google Drive and Dropbox) as staging, command, and data-exfiltration conduits.
  • The initial lure is a phishing email delivering a ZIP attached payload that disguises itself as an Excel file using LTRO (Left-to-Right Override) tricks.
  • The embedded payload is XOR-encoded to hinder static analysis, delaying readable indicators in static scans.
  • The drop-and-execute chain writes multiple files to C:ProgramData (staging area) and proceeds with VBScript-based payloads that launch additional payloads via ShellExecute.
  • A multi-stage VBScript sequence creates scheduled tasks to run hidden payloads every minute, enabling persistence and ongoing execution.
  • Stage 6–post exploitation uses PowerShell scripts to interact with Dropbox and Google Drive via OAuth 2.0 tokens, enabling cloud-based file download/upload and remote control.
  • Recent components perform in-memory code execution to contact a remote C2 server (IP 159.100.13.216:6606) and execute commands, reducing on-disk footprint and evading some defenses.

MITRE Techniques

  • [T1566.001] Phishing – The attack chain kicks off after the user receives a phishing email and downloads a zip archive attached. “The attack chain kicks off after the user receives a phishing email and downloads a zip archive sent as an attachment.”
  • [T1204.002] User Execution – The user double-clicks an executable thinking it’s an Excel file, initiating the infection.
  • [T1036] Masquerading – The file is modified to look like a Microsoft Office Excel file icon and uses Left-to-Right Override to disguise its .exe extension.
  • [T1027.010] Obfuscated/Compressed Files or Information: Command Obfuscation – Strings and embedded payloads are XOR encoded to hinder analysis. “Most of the strings and embedded files which get written to disk are XOR encoded using a hexadecimal offset of E2.”
  • [T1059.005] VBScript – Stage 2–4 VBScript files (3156.vbs, i4703.vbs, i6050.vbs) drive the early phases of execution and payload deployment.
  • [T1053.005] Scheduled Task – The malware creates scheduled tasks to persist and execute payloads (e.g., “registers the task under the name… and repeats every minute”).
  • [T1059.001] PowerShell – Multiple PowerShell scripts are used for payload deployment, obfuscated stages, and post-exploitation actions (e.g., “powershell -ep bypass -command…”).
  • [T1059.003] Windows Command Shell – The campaign uses commands and shell interactions (e.g., WScript execution and ShellExecute calls) to run components.
  • [T1041] Exfiltration Over C2 Channel – The campaign hides data exfiltration within encrypted channels via cloud services (Dropbox/Google Drive).
  • [T1567.002] Exfiltration to Cloud Storage – Dropbox upload and Google Drive-based upload/download flows transfer data to attacker-controlled cloud storage.
  • [T1070.004] Indicator Removal: File Deletion – The VBScript deletes its own components (e.g., .vbs and .jse files) after execution to cover tracks.
  • [T1082] System Information Discovery – The script queries the local IP address to construct paths (e.g., “ping” to obtain IPv4 address).
  • [T1055] Process Injection / In-Memory Execution – The final stage loads a .NET assembly directly into memory and invokes a “start” method to establish C2, indicating in-memory execution.

Indicators of Compromise

  • [IP] C2 address – 159.100.13.216, used to host and control the attacker’s infrastructure.
  • [SHA256] Zip Archive – 91bd0f7e5af15248c1e3f2908891bbd9262753910fe4bbd61729f0c184287153
  • [SHA256] KZAH.exe (RFQ-101432620247fl

    xslx.exe) – b89d6be0bcfb915492beb7ae726f815dcf289a284e650c200bda4faf5db60fa1

  • [SHA256] 20240416.xlsx – 5F0642383CA70A3FD2C4491B2826002763E90CA25A7413869FD824E7745D0465
  • [SHA256] 97468.tmp – 590353941BAB80F38D77B2139BC7DA6888B3DFF9C8817C4B7E058F50173288BF
  • [SHA256] Tmp912.tmp – F96631CDFFA6AE69E5432C38778F3B93E5335A935F62939CD0094E5CCB886460
  • [SHA256] tmpdbx.ps1 – 8955585100F75C59472E4C2C77FCDDD7422400F745AE75132C81C6144AA86824
  • [SHA256] zz.ps1 – 7BB7CA87149B6407E1E7C11C1A528A2E2147D3096337E3DA6F6BE130F76FF6AC
  • [SHA256] Post-ex PowerShell script – BEAA71057AD064E96FC9F8227A7C2A3B8D70D13E45D5908F25C066D937D5BD9D
  • [SHA256] Gzip payload – f4275b0d3c4b6f3a165984b862f4890df14cc346013a22412f7288c9fdc65690

Read more: https://www.securonix.com/blog/analysis-and-detection-of-cloudreverser-an-attack-involving-threat-actors-compromising-systems-using-a-sophisticated-cloud-based-malware/