Netskope Threat Research Labs has discovered a new malware campaign, which we suspect stole more than 26,000 email credentials and also monitors online banking activities. The malware, which we have named “CloudFanta,” has been in operation since July 2016 and primarily targets Brazilian users.
This blog provides a preliminary overview of CloudFanta while we wait on the command and control hosts and cloud vendor to take down the malware and servers containing the email credentials.
Similar to the CloudSquirrel malware campaign that we uncovered in July 2016, CloudFanta arrives as an attachment or a link in a spearphishing email that lures the victim to execute the file or click the link. We observed the CloudFanta malware using the SugarSync cloud storage app for delivering a JAR file that functions as a downloader. The downloader JAR file again uses SugarSync for downloading Dynamic Linked Library (DLL) files with a “.png” extension. These DLL files, which are later renamed to the extension “.twerk,” are responsible for stealing the victim’s email credentials, sending malicious emails on behalf of the victim, and also for monitoring victims’ online banking activities.
A high-level visual depiction of the CloudFanta malware infection is shown in Figure 1. The CloudFanta malware campaign highlighted the use of the cloud storage app, SugarSync for hosting drive-by-download files. Using tactics like the delivery of DLL files with the “.png” extension and the use of SSL/HTTPS communication with SugarSync allow CloudFanta to stay under the radar of a number of traditional, network-based security solutions. This clearly demonstrates the effective use of cloud services for hosting malware by malicious threat actors. The use of cloud services makes the delivery of malware very easy, effectively making it easier to compromise and gain access to users’ data. This clearly signifies an urgent need for enterprises to employ a multi-layered security approach with a strong focus on cloud services.
Figure 1: Visual depiction of CloudFanta malware infection
The visual depiction of protection from CloudFanta malware with Netskope Threat Protection is shown in Figure 3. Netskope Threat Protection detects the files retrieved from the JAR downloader as Backdoor.Generckd.3549404, Backdoor.Generckd.3540808, Backdoor.Generckd.18673650, Backdoor.Generckd.3542220 and Gen:Variant.Symm.60013. Customers with the Netskope Active Platform and Netskope Introspection can set the respective malware and threat protection policies to detect and remediate against this malware. In addition to the above, Netskope Active platform customers can also block the DLL files with “.png” extension from being downloaded using a custom rule as shown in Figure 2.
Figure 2: Block policy alert for portable executable files with “.png” extensions
Figure 3: Visual depiction of protection from CloudFanta malware with Netskope Threat Protection
Netskope recommends the following to combat cloud malware and threats:
We will be publishing a detailed technical blog on CloudFanta soon.