Threat Research Labs, Netskope, published a detailed research on the malware “CloudFanta” campaign, suspect since July 2016 to steal more than 26,000 worth of email credentials. CloudFanta benefits from the ‘SugarSync’ – a cloud storage app – to distribute itself and steal user credentials and monitor online banking activities to extract sensitive information.
CloudFanta attacks its victims through an attachment link in a spearfishing email. It lures the victim to click on the provided link or execute a file. According to the experts at Netskope, the SugarSync spread the malware with a URL “https://www[.]sugarsync[.]com/pf/D3202366_07280196_66523?directDownload=true.”
The downloaded zip archive “NF-9944132-br.zip” contained a downloader JAR file “NF-9944132-br.PDF.jar” with the dual extension “.PDF.jar.” The files retrieved by this downloader JAR are detected by Netskope Threat Protection as “Backdoor.Generckd.3549404,
Above research explained by Netskope, suggests that users are primarily targeted by a link in a spearphishing email, which lures and leads them to download a zip file which contains a dual extension “.PDF.JAR” to fool the victim. When he opens the JAR file, it silently downloads DLL (Dynamic Linked Library) files in the background (C:\users\public).
The CloudFanta malware goes undetected by network security devices such as firewalls, and intrusion detection systems because it downloads DLL files under the hoax extension “.PNG” and uses SSL/HTTPS communication. These DLL files are then renamed with the hostname and extension “.TWERK”
The director of engineering and cloud security research of Netskope, Ravi Balupari explains that “This malware campaign looks for the users’ email addresses and passwords,” he says, “It’s also targeting specific users.” As the primary target of CloudFanta is currently Brazil.
How does this malware work? When victims enter their login credentials on an infected machine, their sign-in page redirects to a phishing sign-in page so that their credentials can be stolen. When they enter their credentials the data is uploaded to the C&C server, and then they are redirected back to the original sign-in page. Balupari explains, the malware also bypasses security measures of virtual keyboards, as most banks use sign-in through virtual keyboards.
When victims try to access their accounts, the malware takes a snapshot of every single click. It then saves a text file containing mouse clicks, which helps attackers to view victim’s passwords later.
SugarSync isn’t the only software application affected by CloudFanta; the malware also abused DropBox to host malicious files. The ability to automatically download files and SugarSync’s broad user base made it easier for the malware to spread itself.
Traditional malware used other servers to host attacker’s files, on the other hand with the cloud, it is convenient for them to have broader access and spread cloud-based malware quickly and access everywhere.
Balupari explains, “Typically, cloud-based apps provide a convenient method for downloading files.”
Netskope has joined hands with Sugarsync to stop the malware from spreading by taking down infected URLs. The collaboration is to provide information on malicious links and monitor CloudFanta changes in other malware campaigns.
Balupari said, “We’ll definitely see a rise in cloud malware campaigns going forward,” he further said, “Enterprises and customers who have been adopting cloud apps need to add additional layers of security.”
There are various steps businesses and individuals can take to prevent cloud-malware from infecting their sensitive information, for example, policy to block executable files with type “image/png,” end-to-end encryption software, enable “view known file extension” in windows explorer, two-factor authentication, Virtual Private Network (VPN) software, updated antivirus, and keep system updated.
IT pros should also make a practice to keep tracks and detect unauthorized cloud services and ensure policies regarding prevention of data loss, managing data entry, and back-up of sensitive data stored in the cloud.
About the Author: Peter Buttler is a Professional Security Expert and Lecturer. He serves as a Digital Content Editor for different security organizations. While writing he likes to emphasize on recent security trends and some other technology stuff. You can follow him on Twitter.
Edited by Pierluigi Paganini
(Security Affairs – CloudFanta Malware, cloud)