In the latest compromise of online file-sharing services, the trojan BKDR_VERNOT.A “retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account,” explained Trend Micro researcher Nikko Tamaña. “The backdoor may also use the Evernote account as a drop-off point for its stolen information.”
The malware attempts to connect to Evernote via its Chinese homepage, using the legitimate URL. Then it drops a .DLL file and injects it into the legitimate process, and that file performs the actual backdoor routines.
The bug is made to download, execute and rename files. It then gathers information from the infected system, including details about its operating system, time zone, user name, computer name, registered owner and organization and sends it back to its controllers.
“As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers,” said Tamaña. “Because BKDR_VERNOT.A generates a legitimate network traffic, most anti-malware products may not readily detect this behavior as malicious. This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote.”
Unfortunately for businesses, this is not the first time a legitimate service like Evernote was used as a method of evasion. Last year malware was found using Google Docs to communicate to its C&C server, and file-hosting site Sendspace was used as storage for stolen information by spyware that gathers MS Word and Excel files.
Then there are the variations on the theme, like Flashback, the trojan that infected more Macs than any other malware in history. It used hacked WordPress sites to redirect page visitors to malicious URLs filled with malware.
Unfortunately, Trend Micro CTO Raimund Genes told Ars Technica that overall, file-sharing sites often escape the attention of IT administrators. "Nobody's going to block Dropbox or Box," he said. And criminals, he added, often hide activity by staggering bursts of activity from the malware so it’s not constant – making it look like normal cloud app usage levels.
“Malware like [these] only show the extent that online bad guys will go to hide their schemes,” said Tamaña.