This attack is very similar to the Quick Double Switch, but only difference is that the attacker maintains remote access to the victim's machine. This access allows the attacker to interact with the victim’s machine from time to time, execute arbitrary code, and collect that code’s output.
Attack Execution Phase:
- The attacker tricks the victim (using phishing or drive-by transfer attacks) or uses an exploit in order to execute the Switcher in victim's device. The Switcher then place the attacker’s synchronization token into the cloud Application.
- When this first switch is complete, the Switcher copies the original synchronization token into the synced folder.
- Now the Cloud Application syncs with the attacker’s account.
- The attacker is now owning the access to victim’s synced folder intern for synchronization token which is placed in the folder by the tool.
- The attacker then uses the stolen victim's synchronization token to connect with the victim’s file synchronization account by using the Switcher tool on the his own machine.
- The Switcher tool runs for the second time on the victim’s machine restoring the original synchronization token of the victim, essentially restoring the cloud Application to its original state.
- After this second switch the attacker sets up remote access to the victim’s computer. The remote access is set up by waiting for a file to show up in a specific location in the sync folder, and then executing that file, There are multiple methods for setting such backdoor like scheduled tasks, setting conditional events through WMI etc.
Once remote access is enabled, the attacker can execute arbitrary code on the victim’s machine by using the following process:
- Place the code in a specific location in the sync folder on the attacker’s machine.
- The code gets synchronized to the victim’s machine. The backdoor mechanism identifies the new file and executes it.
- The output of the code is written to the sync folder on the victim’s machine and is synchronized to the attacker’s machine.
- The attacker collects the output, then removes the output and the code.
Here the attacker's use victim’s cloud storage as remote access infrastructure.
Authored by Rajesh Rao