APT Attacks Using Cloud Storage

June 11, 2024, 10:31 a.m.

Description

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documents and additional malware from the attacker's cloud storage. The scripts collect system information, which is uploaded to the cloud, and then download and execute the XenoRAT remote access trojan. The malware allows the threat actor to perform various malicious activities on the compromised system.

External References

https://asec.ahnlab.com/en/66429/
https://otx.alienvault.com/pulse/6668223f438a6c308116a377
Tags
apt
dropbox
powershell
cloud
2024-06-11
xenorat

Date

  • Created: June 11, 2024, 10:09 a.m.
  • Published: June 11, 2024, 10:09 a.m.
  • Modified: June 11, 2024, 10:31 a.m.

Indicators

  • 159.100.29.122
Download all indicators here!

Attack Patterns

  • XenoRAT
  • T1107
  • T1064
  • T1497
  • T1057
  • T1105
  • T1083
  • T1071
  • T1055
  • T1036
  • T1053
  • T1059