Widely Used A360 Cloud Drive Platform Abuse for Delivering Adwind, Remcos, Netwire Remote Access Trojans and used as a Malware Distributing Platform by using File sharing site to host Malware.
Nowadays Many Cloud Platform used as a Malware Delivering Platform that by hosting Malicious Files and also being served as a (C&C) infrastructure.
In this case, Command & Control Server Resolved by Free DNS services and it helps to RATs/backdoors that would phone back to their respective command-and-control servers after the Malicious RAT File were Downloaded and Executed.
“A360 is a cloud-based workspace that centralizes, connects and organizes your team and project information across your desktop, the web, and mobile devices.”A360 Drive provides online storage for collaboration. Anyone can create an account for free and given 5GB of space.
According to Trend Micro Report, U.S., South Africa, France, Italy, Germany, Hong Kong, and U.K. the most affected By this Distributed Adwind, Remcos, Netwire RAT’s.
How Does These RAT’s Abusing the Cloud Infrastructure
These 3 RAT’s Initially Spreading via the Spam Email Campaign with Different Malware Variant Functions.
Adwind RAT Intially Discovered from as a JAR file (JAVA_ADWIND.JEJPDY) which connect to the C&C Server when the Script get executed. later it will retrieve and exfiltrate multifarious data including credentials, keystrokes, and multimedia files.
NETWIRE RAT Identified through Spam Email Campign with attached (JAVA_KRYPTIK.NPP) file containing a Java ARchive (JAR) along with Exicutable Script and futher analysis confrms that, it has string references NETWIRE remote access tool with keylogging and SOCKS proxy capabilities.
Trend Micro Discovered a Document File that Discovered as “AMMO REQUEST MOD Turkey.doc” (W2KM_DROPPR.XWD) that contains a generic template for macro malware used to abuse the A360 Drive .
Macro File is Encrypted and also Obfusticated Exicutable that will be finally Decrypted.it contains a payloadthat is a malicious PowerShell script that will download a file from A360 Drive and execute it.
The downloaded payload is a Visual Basic obfuscated executable file. Deobfuscating it reveals the Trojanized Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. Trend Micro said.