Once installed, the researchers report, BKDR_VERNOT.A is capable of downloading, executing and renaming files on the infected PC. It also gathers information regarding the PC'S operating system, time zone, user name, computer name, registered owner and organization.
"But here’s the interesting part: BKDR_VERNOT.A retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account," writes TrendLabs threat response engineer Nikko Tamana. "The backdoor may also use the Evernote account as a drop-off point for its stolen information."
The sample that Trend Micro tested was unable to log into the Evernote account, though, which Tamana suggests may be a result of security measures implemented following the recent Evernote security breach.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers," Tamana writes. "Because BKDR_VERNOT.A generates a legitimate network traffic, most antimalware products may not readily detect this behavior as malicious."
As Tamana notes, there are several other recent examples of malware using legitimate services to avoid detection -- last year, a Trojan was found that used Google Docs as a proxy server, and another Trojan used SendSpace to store stolen Word and Excel files.