Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.
We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags. It resembled the way Google Drive was misused as a repository of stolen data, for instance.
The payloads we saw during our research—remote access tools (RATs)—are also notable. We found that after they were downloaded and executed, the RATs/backdoors would phone back to their respective command-and-control servers, which are resolvable via free DNS services. It’s not a novel technique, but our correlation of the indicators of compromise (IoCs) suggests that a potentially sustained, cybercriminal operation took advantage of this platform.