Netskope Threat Research Labs has observed ongoing targeted attacks in enterprise cloud environments that lead to a malware fan-out effect through automated syncing and sharing of files in the cloud. While monitoring this attack, we captured several instances where the synced filenames were similar to the email addresses of the attack victims. These attachments are often automatically synced to cloud storage applications using file collaboration settings in popular SaaS applications like Office365, Google mail etc. This auto-syncing feature can also be achieved through third party applications as well. Since the filenames appear less suspicious, they are more likely to be viewed as coming from within the organization (and therefore trusted) and shared with others in the same user group.
Figure 1 illustrates this effect in a cloud environment and how Netskope detects the attack patterns at various stages.
Figure 1: Infection propagation in the Cloud
Consider the example recipient as email@example.com, we noticed following variations in attachment names for the targeted emails:
Sample Hashes – 5fcaf61df7fb44c984e5c5dcb9d2022a, a3ffac9e74fa99291d4d53ef525ed0fd
Netskope detection: Gen.Downloadrs.B1F4C42,Gen.Downloadrs.10CC4FE0
Sample hash – 7340efcb3b352cd228a77782c74943a4
Netskope Detection: Backdoor.Downloadr.DPW
The script uses multi-level obfuscation and constructs a WScript instance to setup a connection with domains hosting the payloads. The box in figure 3 shows the fully constructed domain names once the script is completely deobfuscated.The dropped payload is again saved with a random name in the %TEMP% directory.
Sample hash: 4506342ab7723d1f4cc6c98482c93433
Netskope detection: Backdoor.Generckd.3312003
The first payload that we encountered while tracking this campaign was an instance of cross-platform, Java based Adwind RAT, which has the capability to infect Windows, Linux and Macs as shown in Figure 4.
Figure 4: Excerpt of decompiled Jar of Adwind RAT
The RAT has the capability to launch a shell connectivity giving backdoor access to the attacker and has basic file stealing features. Figure 5 below shows the class files which form the crux of the RATs capabilities.
Figure 5: Adwind RAT capabilities defined in the decompiled code
Upon execution on a typical windows environment, the RAT will create a random user profile and will attempt to create persistence by registering an entry into HKCU Run key:
“reg.exe” (Access type: “SETVAL”; Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN”; Key: “HP”; Value: “”%APPDATA%\Oracle\bin\javaw.exe” -jar “%USERPROFILE%\QI\giwauQII.cvLwffAX””)
The jar file constructs multiple VB scripts onto the disk, which are executed by launching an instance of command prompt. These visual basic scripts creates WMI command line queries and checks for system information like anti-virus programs, firewall settings etc. A snapshot of the scripts is shown in figure 6. Adwind also copies relevant Java Runtime files to Appdata using xcopy command.
Figure 6: VB scripts created by the RAT to gather system information
The sample tried connecting to a dynamic dns domain, securitypoint[.]ddns[.]net. Hosting C&C servers on dynamic DNS services helps attackers in quickly switching their IPs without changing the host.
Sample hash: 52de0df53e1d56e3bff153bcfd8d1938
Netskope detection: Gen:Variant.Rzy.73941
The next instance of malware was observed to be the popular iSpy keylogger, which is sold in a subscription based model in underground forums. iSpy is a .Net compiled keylogger that comes packed with loads of additional features like stealing browser history, webcam logging, keystroke recording, clipboard monitoring etc. Figure 7 shows the captured strings in memory when the keylogger is installed onto the system.
Figure 7: iSpy keylogger activities captured in memory strings
Upon execution, the malware creates a copy of itself in \App Data\Roaming\Microsoft\Windows\ScreenToGif.The malware maintains persistence by creating registry entries in HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache. The entry is made to invoke a payload activator executable that checks for running instances of the main iSpy payload based on the mutex. If the malware is not already loaded in the memory, It will launch its new instance. The payload loader is stored in the %TEMP% directory. Parts of the decompiled code can be seen in Figure 8.
Figure 8: Payload loader’s decompiled code
The code will look for running instance of process named “netprotocol” and sleeps if it is already loaded into the memory. It will spun up a new process by invoking the copy of malware stored in the ScreenToGif folder.
Apart from the keylogging and information stealing features, iSpy also makes sure that it disables any known running instances of a wide variety of anti-virus programs onto the system as shown in Figure 9.
Figure 9: Process names of anti-virus solutions targeted by iSpy keylogger
The benefit of using a cloud security solution like Netskope is that they are not affected by such counter-measures implemented by sophisticated malware.
The malware stores the exfiltrated data in a file in the %TEMP% directory and sends the harvested data to the C&C, westech-solar[.]co. At the time of analysis, the C&C was unresponsive.
Sample hash: 6968F0AF128C27C6C970ADC0B301D204
Netskope detection: Backdoor.Agnt.CDQB
Figure 10: Ransom message from Locky/Zepto
Sending malicious attachments through emails is not new, but remains a very popular method for delivering targeted attacks. By crafting an attack vector that leaves little for many existing enterprise security solutions, it becomes easy for attackers to infect users and network. Organizations using cloud storage apps further amplify the attack vector when the malicious files and payloads is synced across multiple users.
Netskope recommends following course of actions to effectively counter such threats: