APT Attacks Using Cloud Storage
Contents
AhnLab SEcurity intelligence Center (ASEC) has been sharing cases of attacks in which threat actors utilize cloud services such as Google Drive, OneDrive, and Dropbox to collect user information or distribute malware. [1][2][3] The threat actors mainly upload malicious scripts, RAT malware strains, and decoy documents onto the cloud servers to perform attacks. The uploaded files work systematically and perform various malicious behaviors.
The process from the first distribution file to the execution of RAT malware is as follows:
In such attack type, multiple files are connected as seen in Figure 1, and they all operate via the threat actor’s cloud. As such, malware strains not confirmed in the article may be downloaded or various malicious behaviors such as leaking information may be performed.
EXE and shortcut files (*.LNK) were the first files to be distributed, and this article will explain the operation process through an LNK file, a file type that is …
The process from the first distribution file to the execution of RAT malware is as follows:
In such attack type, multiple files are connected as seen in Figure 1, and they all operate via the threat actor’s cloud. As such, malware strains not confirmed in the article may be downloaded or various malicious behaviors such as leaking information may be performed.
EXE and shortcut files (*.LNK) were the first files to be distributed, and this article will explain the operation process through an LNK file, a file type that is …
IoC
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
159.100.29.122
238cd8f609b06258ab8b4ded82ebbff8
52e5d2cd15ea7d0928e90b18039ec6c6
5d2fdc098d1e1a7674a40ef9140058ed
66b5ffb611505f0067c868dfa84aea60
6ad00d48fdce8dc632b13f6c2438f893
bcb0a6360f057475c63fb16e61fb3adc
c45d209f666f77d70bed61e6fca48bc2
d9d9b8375f74812c41a1cd9abce25ac9
dd2988c792b0252db4c39309e6cb2c48
f396bf5ff64656b592fe3d665eab8aa3
http://159.100.29.122:8811
https://dl.dropboxusercontent.com/scl/fi/9d9msk907asjhilhjr75m/So****g-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0
https://dl.dropboxusercontent.com/scl/fi/9d9msk907asjhilhjr75m/SoJ****-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0
https://dl.dropboxusercontent.com/scl/fi/gswgcmbktt1hthntozgep/SoJ****-F.txt?rlkey=n9xglo02xfnf14b9btgtw8aqi&st=w9zt1es5&dl=0
https://dl.dropboxusercontent.com/scl/fi/lpoo2f42y7x5uy6druxa0/SoJ****.html?rlkey=ckv37q02rh9j1qsw7ed28bimv&st=64zsdvba&dl=0
https://drive.google.com/uc?export=download&id=[omitted
[email protected]
[email protected]
[email protected]
[email protected]
159.100.29.122
238cd8f609b06258ab8b4ded82ebbff8
52e5d2cd15ea7d0928e90b18039ec6c6
5d2fdc098d1e1a7674a40ef9140058ed
66b5ffb611505f0067c868dfa84aea60
6ad00d48fdce8dc632b13f6c2438f893
bcb0a6360f057475c63fb16e61fb3adc
c45d209f666f77d70bed61e6fca48bc2
d9d9b8375f74812c41a1cd9abce25ac9
dd2988c792b0252db4c39309e6cb2c48
f396bf5ff64656b592fe3d665eab8aa3
http://159.100.29.122:8811
https://dl.dropboxusercontent.com/scl/fi/9d9msk907asjhilhjr75m/So****g-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0
https://dl.dropboxusercontent.com/scl/fi/9d9msk907asjhilhjr75m/SoJ****-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0
https://dl.dropboxusercontent.com/scl/fi/gswgcmbktt1hthntozgep/SoJ****-F.txt?rlkey=n9xglo02xfnf14b9btgtw8aqi&st=w9zt1es5&dl=0
https://dl.dropboxusercontent.com/scl/fi/lpoo2f42y7x5uy6druxa0/SoJ****.html?rlkey=ckv37q02rh9j1qsw7ed28bimv&st=64zsdvba&dl=0
https://drive.google.com/uc?export=download&id=[omitted