We recently published an overview blog about the CloudFanta malware campaign that uses the Sugarsync cloud storage app to deliver malware capable of stealing user credentials and monitoring online banking activities. This blog will detail the technical aspects of CloudFanta.
Although CloudSquirrel and CloudFanta malware are not similar, we believe that both malware campaigns are deployed by the same actor based on the following similarities.
- Use of cloud services to download and deliver the malware and its payloads.
- Infecting users by downloading malicious payloads (32-bit and 64-bit executables) for performing data exfiltration.
- Targeting Brazilian users with the usage of similar file names such as NF-9944132-br.PDF.jar and the parameters used to communicate with the C&C server.
Propagation / Delivery of CloudFanta
CloudFanta malware typically arrives on the user’s machine as an attachment or a link via a spear phishing email that lures the victim to execute the file or click on the link.
The Sugarsync URL we observed delivering CloudFanta malware was