Visual depiction of the life cycle of the Cloud Squirrel Attack
Last week we posted an article, giving an overview about the CloudSquirrel malware campaign that takes advantage of multiple cloud apps throughout the kill chain with the intent to steal and exfiltrate user data. We will talk about technical details in this blog.
Listed below are the activities seen in the CloudSquirrel malware campaign:
- Uses a variety of cloud services to download its main payload.
- Uses DropBox for its C&C (command and control) server.
- Infects users by downloading malicious payloads ( 32 bit and 64 bit executables) that collects information about the victim’s machines including the victim’s email account credentials configured in native email clients.
- Primarily affecting Brazilian users based on the facts – file names e.g. “NF-eletronica”, “visualizar boleto” and also the parameter names used in the data exfiltration.
CloudSquirrel malware typically arrives on the user’s machine as an attachment or a link via email. These attachments, and links will generally involve a ‘..’ extension, such as “NF-eletronica-8457348947..Docx.zip”. The delivery mechanism of CloudSquirrel we saw was being distributed using ServInt’s Jelastic Platform-As-A-Service(PaaS). Jelastic redirects to the CloudApp cloud platform which in turn uses Amazon AWS for its backend cloud services as shown in Figure 1.
Figure 1: CloudSquirrel delivery mechanism
The downloaded sample “NF-eletronica-8457348947..Docx.zip” (md5 – F23E27F452C523D95D06371922531C48) is a zip archive that contained a JAR file “NF-eletronica-8457348947..Docx.jar” (md5 – A32F45F7B24FBE474816710BBDB046A6). If the user has not allowed viewing of file extensions in their operating system folder options, the sample would be displayed as “NF-eletronica-8457348947..Docx” without the .jar extension. This tricks the user and makes them believe it is a document file.
Analysis of the JAR file
We decompiled the JAR file and the main class file “vvbdhu.class” contained a list of hard-coded URLs in its code, as shown in Figure 2 below:
Figure 2: URLs present in vvbhdu.class
Three of these URLs referred to Dropbox, while another referred to an IP address. These mp4 files were in fact in plain text format and each of them contained list of URLs, as shown in Figure 3 and Figure 4.
Figure 3: URLs in xxxconfg.mp4
Figure 4: URLs in xxxconf1.mp4 , xxxconf2.mp4 and xxxconf4.mp4
At the time of this blog’s publishing, the IP 45.63.23[.]187 was down, and not serving any payload. Since the IP is down, the malware makes an attempt to download the files from the URLs listed with IP 45.32.186[.]249 sequentially. As soon as it downloads a file successfully, it moves to the next stage of execution. Listed below in Figure 5 is the screenshot of malicious server hosting the files.
Figure 5: Files present inside directory /clientes/dados at the website 45.32.186[.]249
The files stark1.pdf, stark2.pdf, stark3.pdf and stark4.pdf have the extension .pdf but are not real PDF files. They are executable files encrypted with the Data Encryption Standard (DES) algorithm which we decrypted using the code present in the vvbhdu.class file shown in Figure 6.
Figure 6: Encrypt and decrypt routines using DES algorithm referred in vvbhdu.class