Evernote account used to deliver instructions to malware

It's not the first time hackers have designed malware to use legitimate services to post instructions for their botnets

A piece of malicious software spotted by Trend Micro uses the note-taking service Evernote as a place to pick up new instructions.

The malware is a backdoor, or a kind of software that allows an attacker to execute various actions on a hacked computer. Trend Micro found it tries to connect to Evernote in order to obtain new commands.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]

"The backdoor may also use the Evernote account as a drop-off point for its stolen information," wrote Nikko Tamana, a Trend Micro threat response engineer.

It's not unheard of for hackers to design malware to abuse legitimate services, either to make the malware more difficult to trace or give it a less suspicious profile. In the past, Twitter and Google Docs have been used by hackers to post instructions for their botnets.

"As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys' tracks and prevent efforts done by the security researchers," Tamana wrote.

This particular malware, which Trend Micro named "BKDR_VERNOT.A," tries to obtain instructions from a note in an Evernote account. For some reason, the login credentials within the malware did not appear to work when Trend Micro was testing it.

"This is possibly a security measure imposed by Evernote following its recent hacking issue," Tamana wrote.

Earlier this month, Evernote reset the passwords for 50 million of its users after hackers obtained access to account usernames, email addresses and encrypted passwords.

Evernote officials couldn't be immediately reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies