Written by: Rowena Diocton

In a reported incident, cybercriminals took advantage of note-taking service, Evernote, thus demonstrating their continued efforts to use legitimate services for malicious purposes. In doing so, cybercriminals hope to evade detection and accomplish their goals. 

The Evernote incident is reminiscent of the Google Docs incident, when BKDR_MAKADOCS.JG used http://docs.google.com as proxy for its command-and-control (C&C) servers. It also reminds of the TSPY_SPCESEND.A malware, which uses file hosting website, Sendspace, to store stolen data.

Similar to various malware, BKDR_VERNOT.A can get into a computer system when users visit malicious sites, unknowingly downloading the said malware. It may also be dropped by other malware on user systems. 

What happens when BKDR_VERNOT.A is executed on a system?

Once installed, this backdoor drops a .DLL file or component that is formatted in the same way as the computer’s temporary directory or folder. This .DLL component then injects itself in a legitimate process, specifically Windows Explorer. The .DLL file then starts the actual backdoor routines.

BKDR_VERNOT.A then connects to the note-taking service, Evernote, using the link https://evernote.com/intl/zh-cn as its referrer. If it were able to get through Evernote, the malware then uses login credentials programmed in its code to retrieve malicious codes saved in notes on the service. 

During the time of testing, the malware was unable to log in, possibly due to Evernote’s service-wide password reset before the incident. However, if able to log in, the malware can then retrieve information about the C&C server in one of the notes saved. Notably, BKDR_VERNOT.A has no capability of stealing information from notes of other Evernote accounts.

After logging in, the malware can run commands to gather information from the infected system. It can also use Evernote as its drop-off point for the information it has stolen. In addition, commands found on the Evernote account also instructs the malware to download, execute, and rename files as well as extract archived ones.

The specific sample found was designed to run in Windows operating systems and will not work on Evernote applications in mobile devices.

What makes BKDR_VERNOT.A notable?

Although the infiltration technique of this malware is similar to other backdoors, it is deemed notable because of its use of Evernote as a C&C server where it can retrieve malicious codes. If it had logged in to Evernote using correct credentials, it would have easily retrieved commands from notes in the note-taking services. 

Evernote, known for its note-taking and storage capabilities, is a disconcerting choice for cybercriminals given that many users store both personal and company information in it. 

In addition, the use of legitimate service on this incident deviates from usual cybercriminal C&C communication techniques. These techniques usually involve network requests that IT administrators can watch out for through network monitoring, blacklisting, and other security methods. 

Why does malicious use of legitimate services persist?

The use of legitimate services like Evernote solves major problems for cybercriminals. Running their malicious activities through legitimate channels can be an effective way to mask communication against network and file tracking techniques employed by most anti-malware products today.

In addition, the sheer volume of users of popular legitimate services decrease the chance of malware activity discovery, as it will take time for IT departments to develop rules that will track malicious activity on legitimate channels. Small companies with minimal employees may not even bother to look into these, trusting that these services will make sure to secure access on their end.

Relying on legitimate services to guard against threats may not provide ample security for users. With the consumerization of IT, enterprises in particular are vulnerable to data loss through compromised legitimate services brought by its employees for use in the office. The more employees bring their own apps or services in the corporate network without ample policy, the more risks there are to corporate data.

For instance, employees can adopt Evernote as a main tool for note-taking during meetings, setting it to automatically sync to various computer systems or devices. Cybercriminals may find ways to steal high-level company information. 

This incident shows that cybercriminals treat legitimate services as assets with potential for malware use, which is something that many consumer and enterprise users may not be ready for. Should IT departments or individuals fail to look over these channels; chances of compromising sensitive information will remain high.

Are Trend Micro customers protected from these threats?

Trend Micro product users are protected from this threat via the Trend Micro™ Smart Protection Network™, which proactively identifies and mitigates threat incidents such as this. Trend Micro customers receive the Web, Email, and File reputation services, which all work hand in hand in blocking threats.

Expert Insights

As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers. Because BKDR_VERNOT.A generates legitimate network traffic, most anti-malware products may not readily detect this behavior as malicious. This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote.” – Nikko Tamana, threat response engineer