Netskope Threat Research Labs has observed ongoing targeted attacks in enterprise cloud environments that lead to a malware fan-out effect through automated syncing and sharing of files in the cloud. While monitoring this attack, we captured several instances where the synced filenames were similar to the email addresses of the attack victims. These attachments are often automatically synced to cloud storage applications using file collaboration settings in popular SaaS applications like Office365, Google mail etc. This auto-syncing feature can also be achieved through third party applications as well. Since the filenames appear less suspicious, they are more likely to be viewed as coming from within the organization (and therefore trusted) and shared with others in the same user group.
Figure 1 illustrates this effect in a cloud environment and how Netskope detects the attack patterns at various stages.
Figure 1: Infection propagation in the Cloud
The synced files were all zipped and contained obfuscated JavaScript. Over the course of this campaign, Netskope Threat Protection detected variations in both zipped JavaScript as well as the final payload that would be delivered once the JavaScript was executed. Changes in JavaScript were limited to varying obfuscation techniques, but there were three variations in final payload over the course of time. The payload’s variations were associated with keyloggers, remote access trojans, and more importantly, ransomware. Some of these samples would disable endpoint antivirus software, leaving the enterprise to rely on a remote scan engine like Netskope Threat Protection.
Consider the example recipient as [email protected], we noticed following variations in attachment names for the targeted emails:
Joey.tribbiani[0-9A-Z]{6,8}_[0-9A-F]{6,8}.zip
Joey.trbbiani_proposal_[0-9A-F]{6}.zip
Pdf_letter-joey.tribbiani_[0-9A-F]{6}.zip
Attack Vector
The attack vector follows the usual infection pattern in which the attached zip file contains an obfuscated JavaScript. We have noticed variations in the wrapper JavaScript indicating that the attackers were attempting multiple ways to circumvent the corporate environment. Netskope Threat Protection detects the attached zip file and obfuscated JavaScript inside as Gen.Downloadrs.B1F4C42E,Gen.Downloadrs.10CC4FE0 and Generic.JS.DownloaderS.B1F4C42E respectively.
Obfuscated JavaScripts
During our investigation, we observed two variations of the obfuscated JavaScript that were delivered as zip attachments to the recipients.
First Variation
Sample Hashes – 5fcaf61df7fb44c984e5c5dcb9d2022a, a3ffac9e74fa99291d4d53ef525ed0fd
Netskope detection: Gen.Downloadrs.B1F4C42,Gen.Downloadrs.10CC4FE0
A simplified version of the obfuscated JavaScript that was delivered inside the zipped attachment is shown in Figure 2.
Figure 2 : Simplified version of the obfuscated wrapper JavaScript.
The above JavaScript creates a Windows script host object to establish connection with the hard-coded url (astralopitec[.]yomu[.]ru) in object named “dingy”. The fetched malware payload is then stored in the %TEMP% directory.
Second Variation
Sample hash – 7340efcb3b352cd228a77782c74943a4
Netskope Detection: Backdoor.Downloadr.DPW
Another instance of the JavaScript wrapper we observed is shown in the Figure 3.
Figure 3: Another example of obfuscated JavaScript inside the zip attachment
The script uses multi-level obfuscation and constructs a WScript instance to setup a connection with domains hosting the payloads. The box in figure 3 shows the fully constructed domain names once the script is completely deobfuscated.The dropped payload is again saved with a random name in the %TEMP% directory.
Payload Variations
We noticed three different variations in the payloads delivered using the obfuscated JavaScript. These payloads belong to Adwind RAT, iSpy keylogger and Locky ransomware families detected by Netskope Threat protection as Backdoor.Generckd.3312003, Gen:Variant.Rzy.73941 and Backdoor.Agnt.CDQB.
Payload Variation 1 : Adwind RAT
Sample hash: 4506342ab7723d1f4cc6c98482c93433
Netskope detection: Backdoor.Generckd.3312003
The first payload that we encountered while tracking this campaign was an instance of cross-platform, Java based Adwind RAT, which has the capability to infect Windows, Linux and Macs as shown in Figure 4.