ADVERTISEMENT
Filtered By: Scitech
SciTech

Malware exploits Evernote backdoor for cyberattacks


+
Add GMA on Google
Make this your preferred source to get more updates from this publisher on Google.
Who would have thought a cybercriminal would use the popular online note-taking utility Evernote to cover his or her tracks?
 
Security vendor Trend Micro said it found a malware using Evernote as a communication and control (C&C) server, taking instructions from it and dropping data to it.
 
In a blog post, it said the malware dubbed BKDR_VERNOT.A tries to connect to Evernote via https://evernote.com/intl/zh-cn, a legitimate URL.
 
"(H)ere’s the interesting part: BKDR_VERNOT.A retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account. The backdoor may also use the Evernote account as a drop-off point for its stolen information," it said.
 
"To avoid this threat, you must always be cautious with visiting unknown websites and opening email messages," it advised.
 
Trend Micro said the sample it got includes an executable file that drops a .DLL file into a legitimate process, then the .DLL file performs backdoor routines.
 
It gathers data from the infected system, such as details about its operating system, time zone, user name, computer name, registered owner and organization.
 
But Trend Micro said the sample it tested failed to log in using its embedded credentials, likely because Evernote had beefed up security following a recent hacking incident.
 
Yet, it said the malware could hide its tracks because it "generates a legitimate network traffic," and most anti-malware products may not readily suspect its behavior.
 
"This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote," it added.
 
Not first time
 
Trend Micro also said this was not the first time malware authors tried to exploit a legitimate service like Evernote to evade security software.
 
In 2012, it said the BKDR_MAKADOCS.JG used Google Docs to communicate to its C&C server.
 
Also, TSPY_SPCESEND.A used the file-hosting site Sendspace to store stolen data. — TJD, GMA News
Tags: microsoft, microsoftevernote, malware, cyberattack, cybersecurity
Most Popular