Cybercriminals Using Evernote As Drop-Off Point For Stolen Information


Cybercriminals are using popular note-taking app Evernote as a staging ground for the command and control of a newly detected malware strain.

Security vendor Trend Micro said it detected the Vernot malware, a Trojan that gathers information on infected systems. The malware retrieves commands from an Evernote account, which is also believed to be a drop-off point for stolen information, the security firm said.

"As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys' tracks and prevent efforts done by the security researchers," wrote Nikko Tamana, a Trend Micro threat researcher, in his analysis of the Vernot malware.

[Related: 6 Signs You've Been Sucked Into A Facebook Scam]

Vernot generates legitimate network traffic, making detection difficult, Tamana said. "This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote."

Evernote reset millions of user passwords following a data breach of its systems earlier this month. The company took the action after it detected an attack emanating from its systems that attempted to gain access to its restricted corporate network. The breach is not likely connected to the Vernot malware, Tamana said, but the password reset restricted the use of the login credentials embedded in the malware.

Cybercriminals have increasingly been using legitimate Web-based services as drop sites and to deliver commands, according to security experts. Security researchers have seen Twitter, Facebook and other social network accounts used to deliver commands to hordes of malware-infected computers.

The use of Twitter by botnet operators to distribute commands to infected machines was documented as far back as 2009. Security teams and technologies deployed at social networks monitor for suspicious activity and quickly contain and delete accounts that abuse the site's terms of service agreement. Facebook, meanwhile, was used to send commands to the Whitewell malware, according to Symantec. The Trojan was designed to use the mobile version of Facebook to receive configuration data based on the system it infected.

Trend Micro's Tamana said some of the latest attacks have used Google Docs to distribute commands to malware and collect Microsoft Word and Excel files. In February Trend Micro detected suspicious uploads to file-hosting site sendspace.com and connected it to two Trojans used to steal the Microsoft files.

PUBLISHED MARCH 28, 2013