At least one group of cybercriminals has taken to Evernote, the popular cloud-based note-taking and data-sharing service, as a base of operations for a data stealing Trojan, according to TrendMicro threat response engineer Nikko Tamana.
TrendMicro detected the threat as “BKDR_VERNOT.A” and observed it attempting to connect to a living Evernote URL at “hxxps://evernote[.]com/intl/zh-cn.” The payload consisted of an executable that dropped a .DLL file, which performed the actual backdoor processes.
Upon installation, the backdoor has the capacity to download, execute and rename files. It also gathers system information, such as details about its host’s operating system, timezone, user and computer name, registered owner, and organization.
Interestingly, Tamana writes, the Trojan contacts its command server and requests its backdoor functions from notes saved on Evernote. It is also possible that the Evernote account may act as an intermediary storage point for the data that the malware steals from its hosts.
In the last year, cybercriminals have increasingly found that certain social networks and other online services make for pretty good command and control servers. We reported on a variety of the Mac-targeting Flashback malware that occasionally phoned home to Twitter when it’s normal C&C was unavailable. Similarly, in November, a Windows 8 Trojan popped up in Brazil that was using Google Docs as a proxy server instead of relying on a more traditional C&C structure.
The reason this C&C method is gaining traction among criminals is because it is very difficult to track and block. Antimalware scanners and network monitors have difficulty detecting malware of this sort because, by communicating with Evernote, the traffic the malware generates is seemingly legitimate.
TrendMicro’s research is likely unwelcome news for the note-taking service that is still reeling from a compromise there earlier this month.