Be the first to receive the Cloud Threats Memo directly in your inbox by subscribing here.
While the most common cloud apps are also the most exploited for delivering malicious content, opportunistic and state-sponsored threat actors are constantly looking for additional cloud services to leverage throughout multiple stages of the attack chain.
The growing exploitation of cloud services has led the main cloud service providers to enforce restrictive controls to mitigate the risk of possible abuse of their services. And even though a less known service means a lower chance of success for the attackers (the users could be uncomfortable with downloading or accessing content from a cloud application they are not familiar with), there are still more advantages than drawbacks: a cloud service offers simplified hosting and the corresponding malicious traffic is easily hidden among the legitimate sessions.
In a recent example, discovered by researchers at ESET while investigating the recent supply-chain attack to 3CX carried out by the infamous North Korean threat actor Lazarus Group, the same attackers deployed an unknown Linux malware disguised as a PDF document distributed via spear phishing or direct messages. The malware was distributed as part of a new campaign, considered a follow-up to Operation Dream Job, targeting people working in software or DeFi platforms with fake job offers on social media.
The first stage payload of this campaign is a downloader, dubbed OdicLoader by the researchers, that when executed displays a decoy PDF document, and then downloads a second-stage backdoor from the