Security researchers have discovered malware that is using Evernote as a command and control (C&C) server, and is possibly storing stolen information in the popular note-taking application.
According to security firm Trend Micro, the malware consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The file, which Trend has termed BKDR_VERNOT.A, can gather details from the infected machine, such as its operating system, location and information on the registered owner and organisation. It can also download, execute and rename files, Trend Micro said.
In a blog post on the find, Nikko Tamaña, threat response engineer at Trend Micro, said that what is interesting about this particular piece of malware is what happens next.
“[The malware] retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account. The backdoor may also use the Evernote account as a drop-off point for its stolen information,” Tamaña wrote.
The company was blocked from accessing the Evernote account, possibly because the account's password was reset during Evernote's previous security incident, when it discovered unauthorised traffic on its network. The company said the activity was possibly trying to steal user information and data. As a precaution it reset passwords for all users.
What is particularly interesting about this latest case, and what is most worrying for enterprises, is that Evernote is a legitimate application and malicious traffic can hide within it.
Tamaña said services such as Evernote are the “perfect way” for cyber criminals to hide their traffic. “Because BKDR_VERNOT.A generates legitimate network traffic, most anti-malware products may not readily detect this behaviour as malicious. This can be troubling news not only for ordinary internet users, but also for organisations with employees using software like Evernote,” he added.
Consumer services such as Evernote as well as file storage and sharing services such as Google Drive and Dropbox are becoming increasingly popular with enterprise users. Not only can workers use them on their mobile devices but they are also quick and easy to use. However they are also generally unmonitored by IT departments, which can cause a security nightmare.