APT Attacks Using Cloud Storage

Tags

External References

• https://asec.ahnlab.com/
• https://otx.alienvault.com/

Description

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documents and additional malware from the attacker's cloud storage. The scripts collect system information, which is uploaded to the cloud, and then download and execute the XenoRAT remote access trojan. The malware allows the threat actor to perform various malicious activities on the compromised system.

Date