On 5 August 2019, Netskope Threat Research Labs discovered an attack campaign propagated through Pardot, a cloud-based Customer Relationship Management (CRM) by Salesforce. The attack kill chain begins with the delivery of a zip file, containing a lnk file that downloads the next stage of the attack, a Trickbot payload from Google docs.
This attack is noteworthy for the following reasons
- Malicious files residing inside cloud CRM services are typically viewed as internal files
- Users of cloud CRM platforms have a high level of trust in the software because they view the data and associated “links” as internal (even though they are in the cloud)
In this blog, we will provide an analysis of the attack kill chain and how these types of attacks can be prevented with threat protection policies that offer app-level granularity.
Netskope Advanced Threat Protection detects the malware associated with these attacks as Gen.Malware.Detect.By.TI.
Netskope reported the associated Pardot sites hosting malware to the Salesforce security team on 5 August 2019. Additionally, the google docs hosting malware was reported to Google on 6 August 2019.
CRM as an attack vector
A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows). The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.
This is a critical compromise, since some of the users may be operating on a device that they view as relatively hardened against malware. This makes them less likely to scrutinize the attachment. That said, other users involved in the customer relationship process may be accessing the CRM from a compromised endpoint. As per our analysis, and to the best of our knowledge, we have discovered the first attack of this nature from Pardot CRM. This means that users are also likely to be less suspicious of this particular app because they are unaware that it could be compromised.
Attack Kill chain
The attack begins with the ZIP archive containing a lnk file downloaded from Pardot storage. On execution, the lnk file downloads the next stage executable payload masqueraded as PDF file from Google docs. The depiction of the attack kill chain is shown in Figure 1.
Figure 1: Attack kill chain
The malware we first identified was a zip file delivered via pardot link, https://storage.pardot[.]com/120642/87655/Readme_Print.zip. The ZIP file contained a lnk file, Readme_Print.doc.lnk with an argument to load a script file in the %temp% with an argument as shown in Figure 2 .
Figure 2: Command line argument used by the link file
The malware authors used a clever tactic in appending the malicious code after the argument function to evade traditional security scanners. On a similar note, this tactic even evades the tools like lnk-parser, which normally doesn’t display this data.
The obfuscated script is present after the NetBIOS name field in the lnk file as shown in Figure 3.
Figure 3: Obfuscated VBcode in the lnk file
The script used character obfuscation to mask the code. The deobfuscated script can be easily obtained by changing the “execute” into “wscript.echo”. An excerpt of the obfuscated script is shown in Figure 4.
Figure 4: Deobfuscated VBcode
As mentioned in the above image, this script downloads the next stage payload from Google docs. A masqueraded executable (PE) file named “3829_93_93.pdf” is downloaded to the %temp% location from Google docs and renamed to NaFhI.exe and detonated.
The second stage payload is a Visual basic executable belonging to the malware family named Trickbot, that performs code injection and contains many infostealer modules that steal banking related data. This malware family has also been reported in a Salesforce Knowledge base article.
The events captured by our Netskope Advanced Heuristic analysis engine, Netskope AI powered by Cylance and Netskope Cloud Sandbox is shown in Figure 5, Figure 6 and Figure 7.
Figure 5: Events from Netskope Advanced Heuristics
Figure 6: Events from Netskope AI
Figure 7: Events from Netskope Cloud Sandbox
The behavioral execution flow captured by the Netskope Cloud Sandbox is shown in Figure 8.
Figure 8: Execution flow in Netskope Cloud Sandbox.
The malware also posts data to the C2 172.238.117[.]187 as shown in Figure 9.
Figure 9: C2 connection to 220.127.116.11
VirusTotal records show similar post request URLs reported from this IP from late June 2019.
Attack campaign Threat Intel
Based on the attack pattern, passive DNS results and our own threat intelligence framework, we identified 12 similar URLs delivering malware from Pardot Storage. Additionally, we identified 16 lnk files attributed to the NetBIOS name “win-jbf0q9el659”. Based on the timeline and events, we expect the threat actors will continue to scale these attacks across potential targets.
This post details the discovery of a malware hosted and propagated through Pardot CRM. Cloud CRM services store an organization’s most critical customer data, and deliver those data to corporate users via the web. Malicious files residing in popular cloud CRM services can be shared/collaborated on within an organization’s cloud CRM service to make their way into cloud CRM services, thereby creating a new malware attack and propagation vector.
While Netskope Threat Research Labs has reached out to SalesForce to take down the attack elements, we will continue to monitor the delivery mechanism and developments of this campaign.
Indicators of Compromise
Hashes → ZIP files
Hashes → lnk files
Hashes → Second stage Downloader