¡El futuro de Confianza Cero y SASE es ahora! Ver a la carta

cerrar
cerrar
  • Por qué Netskope chevron

    Cambiar la forma en que las redes y la seguridad trabajan juntas.

  • Nuestros clientes chevron

    Netskope atiende a más de 3.000 clientes en todo el mundo, entre ellos más de 25 de las 100 empresas de Fortune

  • Nuestros Partners chevron

    Nos asociamos con líderes en seguridad para ayudarlo a asegurar su viaje a la nube.

La más Alta en Ejecución. Más Avanzada en Visión.

Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.

Obtenga el informe
Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.
Ayudamos a nuestros clientes a estar preparados para cualquier situación

See our customers
Woman smiling with glasses looking out window
La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.

Más información sobre los socios de Netskope
Group of diverse young professionals smiling
Tu red del mañana

Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.

Obtenga el whitepaper
Tu red del mañana
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Adopte una arquitectura de borde de servicio de acceso seguro (SASE)

Netskope NewEdge es la nube privada de seguridad más grande y de mayor rendimiento del mundo y ofrece a los clientes una cobertura de servicio, un rendimiento y una resiliencia incomparables.

Más información sobre NewEdge
NewEdge
Netskope Cloud Exchange

Cloud Exchange (CE) de Netskope ofrece a sus clientes herramientas de integración eficaces para que saquen partido a su inversión en estrategias de seguridad.

Más información sobre Cloud Exchange
Vídeo de Netskope
  • Servicio de seguridad Productos Edge chevron

    Protéjase contra las amenazas avanzadas y en la nube y salvaguarde los datos en todos los vectores.

  • Borderless SD-WAN chevron

    Proporcione con confianza un acceso seguro y de alto rendimiento a cada usuario remoto, dispositivo, sitio y nube.

  • Secure Access Service Edge chevron

    Netskope SASE proporciona una solución SASE nativa en la nube, totalmente convergente y de un único proveedor.

La plataforma del futuro es Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) y Private Access for ZTNA integrados de forma nativa en una única solución para ayudar a todas las empresas en su camino hacia el Servicio de acceso seguro Arquitectura perimetral (SASE).

Todos los productos
Vídeo de Netskope
Next Gen SASE Branch es híbrida: conectada, segura y automatizada

Netskope Next Gen SASE Branch converge Context-Aware SASE Fabric, Zero-Trust Hybrid Security y SkopeAI-Powered Cloud Orchestrator en una oferta de nube unificada, marcando el comienzo de una experiencia de sucursal completamente modernizada para la empresa sin fronteras.

Obtenga más información sobre Next Gen SASE Branch
Personas en la oficina de espacios abiertos.
Diseño de una arquitectura SASE para Dummies

Obtenga un ejemplar gratuito del único manual que necesitará sobre diseño de una arquitectura SASE.

Obtenga el eBook
Cambie a los servicios de seguridad en la nube líderes del mercado con una latencia mínima y una alta fiabilidad.

Más información sobre NewEdge
Lighted highway through mountainside switchbacks
Habilite de forma segura el uso de aplicaciones de IA generativa con control de acceso a aplicaciones, capacitación de usuarios en tiempo real y la mejor protección de datos de su clase.

Descubra cómo aseguramos el uso generativo de IA
Habilite de forma segura ChatGPT y IA generativa
Soluciones de confianza cero para implementaciones de SSE y SASE

Más información sobre Confianza Cero
Boat driving through open sea
Netskope logra la alta autorización FedRAMP

Elija Netskope GovCloud para acelerar la transformación de su agencia.

Más información sobre Netskope GovCloud
Netskope GovCloud
  • Recursos chevron

    Obtenga más información sobre cómo Netskope puede ayudarle a proteger su viaje hacia la nube.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Manténgase a la vanguardia de las últimas tendencias de seguridad y conéctese con sus pares.

  • Seguridad definida chevron

    Todo lo que necesitas saber en nuestra enciclopedia de ciberseguridad.

Podcast Security Visionaries

Elecciones, desinformación y seguridad
Este episodio analiza los aspectos de la seguridad electoral en torno al registro de votantes y los controles físicos en los lugares de votación.

Reproducir el pódcast
Blog: Elecciones, desinformación y seguridad
Últimos blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Lea el blog
Sunrise and cloudy sky
SASE Week 2023: ¡Su viaje SASE comienza ahora!

Sesiones de repetición de la cuarta SASE Week.

Explorar sesiones
SASE Week 2023
¿Qué es Security Service Edge (SSE)?

Explore el lado de la seguridad de SASE, el futuro de la red y la protección en la nube.

Más información sobre el servicio de seguridad perimetral
Four-way roundabout
  • Empresa chevron

    Le ayudamos a mantenerse a la vanguardia de los desafíos de seguridad de la nube, los datos y la red.

  • Liderazgo chevron

    Nuestro equipo de liderazgo está firmemente comprometido a hacer todo lo necesario para que nuestros clientes tengan éxito.

  • Soluciones para clientes chevron

    Le apoyamos en cada paso del camino, garantizando su éxito con Netskope.

  • Formación y certificación chevron

    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube.

Apoyar la sostenibilidad a través de la seguridad de los datos

Netskope se enorgullece de participar en Vision 2045: una iniciativa destinada a crear conciencia sobre el papel de la industria privada en la sostenibilidad.

Descubra más
Apoyando la sustentabilidad a través de la seguridad de los datos
Pensadores, constructores, soñadores, innovadores. Juntos, ofrecemos soluciones de seguridad en la nube de vanguardia para ayudar a nuestros clientes a proteger sus datos y usuarios.

Conozca a nuestro equipo
Group of hikers scaling a snowy mountain
El talentoso y experimentado equipo de servicios profesionales de Netskope proporciona un enfoque prescriptivo para su exitosa implementación.

Más información sobre servicios profesionales
Servicios profesionales de Netskope
Asegure su viaje de transformación digital y aproveche al máximo sus aplicaciones en la nube, web y privadas con la capacitación de Netskope.

Infórmese sobre Capacitaciones y Certificaciones
Group of young professionals working

Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud

Mar 08 2017
Etiquetas
Cloud Best Practices
Netskope Threat Protection
Tools and Tips
Vulnerability Advisory

Netskope Threat Research Labs has observed ongoing targeted attacks in enterprise cloud environments that lead to a malware fan-out effect through automated syncing and sharing of files in the cloud. While monitoring this attack, we captured several instances where the synced filenames were similar to the email addresses of the attack victims. These attachments are often automatically synced to cloud storage applications using file collaboration settings in popular SaaS applications like Office365, Google mail etc. This auto-syncing feature can also be achieved through third party applications as well. Since the filenames appear less suspicious, they are more likely to be viewed as coming from within the organization (and therefore trusted) and shared with others in the same user group.

Figure 1 illustrates this effect in a cloud environment and how Netskope detects the attack patterns at various stages.

Figure 1: Infection propagation in the Cloud

The synced files were all zipped and contained obfuscated JavaScript. Over the course of this campaign, Netskope Threat Protection detected variations in both zipped JavaScript as well as the final payload that would be delivered once the JavaScript was executed. Changes in JavaScript were limited to varying obfuscation techniques, but there were three variations in final payload over the course of time. The payload’s variations were associated with keyloggers, remote access trojans, and more importantly, ransomware. Some of these samples would disable endpoint antivirus software, leaving the enterprise to rely on a remote scan engine like Netskope Threat Protection.

Consider the example recipient as [email protected], we noticed following variations in attachment names for the targeted emails:

Joey.tribbiani[0-9A-Z]{6,8}_[0-9A-F]{6,8}.zip

Joey.trbbiani_proposal_[0-9A-F]{6}.zip

Pdf_letter-joey.tribbiani_[0-9A-F]{6}.zip

Attack Vector

The attack vector follows the usual infection pattern in which the attached zip file contains an obfuscated JavaScript. We have noticed variations in the wrapper JavaScript indicating that the attackers were attempting multiple ways to circumvent the corporate environment. Netskope Threat Protection detects the attached zip file and obfuscated JavaScript inside as Gen.Downloadrs.B1F4C42E,Gen.Downloadrs.10CC4FE0  and Generic.JS.DownloaderS.B1F4C42E respectively.

Obfuscated JavaScripts

During our investigation, we observed two variations of the obfuscated JavaScript that were delivered as zip attachments to the recipients.

First Variation

Sample Hashes – 5fcaf61df7fb44c984e5c5dcb9d2022a, a3ffac9e74fa99291d4d53ef525ed0fd

Netskope detection: Gen.Downloadrs.B1F4C42,Gen.Downloadrs.10CC4FE0

A simplified version of the obfuscated JavaScript that was delivered inside the zipped attachment is shown in Figure 2.

Figure 2 : Simplified version of the obfuscated wrapper JavaScript.

The above JavaScript creates a Windows script host object to establish connection with the hard-coded url (astralopitec[.]yomu[.]ru) in object named “dingy”. The fetched malware payload is then stored in the %TEMP% directory.

Second Variation

Sample hash – 7340efcb3b352cd228a77782c74943a4

Netskope Detection: Backdoor.Downloadr.DPW

Another instance of the JavaScript wrapper we observed is shown in the Figure 3.

Figure 3: Another example of obfuscated JavaScript inside the zip attachment

The script uses multi-level obfuscation and constructs a WScript instance to setup a connection with domains hosting the payloads. The box in figure 3 shows the fully constructed domain names once the script is completely deobfuscated.The dropped payload is again saved with a random name in the %TEMP% directory.

Payload Variations

We noticed three different variations in the payloads delivered using the obfuscated JavaScript. These payloads belong to Adwind RAT, iSpy keylogger and Locky ransomware families detected by Netskope Threat protection as Backdoor.Generckd.3312003, Gen:Variant.Rzy.73941 and Backdoor.Agnt.CDQB.

Payload Variation 1 : Adwind RAT

Sample hash: 4506342ab7723d1f4cc6c98482c93433
Netskope detection: Backdoor.Generckd.3312003

The first payload that we encountered while tracking this campaign was an instance of cross-platform, Java based Adwind RAT, which has the capability to infect Windows, Linux and Macs as shown in Figure 4.

Figure 4: Excerpt of decompiled Jar of Adwind RAT

The RAT has the capability to launch a shell connectivity giving backdoor access to the attacker and has basic file stealing features. Figure 5 below shows the class files which form the crux of the RATs capabilities.

Figure 5: Adwind RAT capabilities defined in the decompiled code

Upon execution on a typical windows environment, the RAT will create a random user profile and will attempt to create persistence by registering an entry into HKCU Run key:

“reg.exe” (Access type: “SETVAL”; Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN”; Key: “HP”; Value: “”%APPDATA%\Oracle\bin\javaw.exe” -jar “%USERPROFILE%\QI\giwauQII.cvLwffAX””)

The jar file constructs multiple VB scripts onto the disk, which are executed by launching an instance of command prompt. These visual basic scripts creates WMI command line queries and checks for system information like anti-virus programs, firewall settings etc. A snapshot of the scripts is shown in figure 6. Adwind also copies relevant Java Runtime files to Appdata using xcopy command.

Figure 6: VB scripts created by the RAT to gather system information

The sample tried connecting to a dynamic dns domain, securitypoint[.]ddns[.]net. Hosting C&C servers on dynamic DNS services helps attackers in quickly switching their IPs without changing the host.

Payload Variation 2 : iSpy Keylogger

Sample hash: 52de0df53e1d56e3bff153bcfd8d1938
Netskope detection: Gen:Variant.Rzy.73941

The next instance of malware was observed to be the popular iSpy keylogger, which is sold in a  subscription based model in underground forums. iSpy is a .Net compiled keylogger that comes packed with loads of additional features like stealing browser history, webcam logging, keystroke recording, clipboard monitoring etc. Figure 7 shows the captured strings in memory when the keylogger is installed onto the system.

Figure 7: iSpy keylogger activities captured in memory strings

Upon execution, the malware creates a copy of itself in \App Data\Roaming\Microsoft\Windows\ScreenToGif.The malware maintains persistence by creating registry entries in HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache. The entry is made to invoke a payload activator executable that checks for running instances of the main iSpy payload based on the mutex. If the malware is not already loaded in the memory, It will launch its new instance. The payload loader is stored in the %TEMP% directory. Parts of the decompiled code can be seen in Figure 8.

Figure 8: Payload loader’s decompiled code

The code will look for running instance of process named “netprotocol” and sleeps if it is already loaded into the memory. It will spun up a new process by invoking the copy of malware stored in the ScreenToGif folder.

Apart from the keylogging and information stealing features, iSpy also makes sure that it disables any known running instances of a wide variety of anti-virus programs onto the system as shown in Figure 9.

Figure 9: Process names of anti-virus solutions targeted by iSpy keylogger

The benefit of using a cloud security solution like Netskope is that they are not affected by such counter-measures implemented by sophisticated malware.

The malware stores the exfiltrated data in a file in the %TEMP% directory and sends the harvested data to the C&C, westech-solar[.]co. At the time of analysis, the C&C was unresponsive.

Payload Variation 3: Variant of Locky/Zepto

Sample hash: 6968F0AF128C27C6C970ADC0B301D204
Netskope detection: Backdoor.Agnt.CDQB

The third and last payload noticed during our monitoring, belongs to Locky ransomware family. We observed a variant of Locky being delivered as the final payload once the user executes the attached JavaScript. We have blogged about a detailed analysis of the variant Zepto here. The samples noticed during this campaign were no different from the one we disclosed in our blog. There were slight variations in the first level JavaScript where the payload execution parameters were slightly obfuscated.

Figure 10: Ransom message from Locky/Zepto

Conclusión

Sending malicious attachments through emails is not new, but remains a very popular method for delivering targeted attacks. By crafting an attack vector that leaves little for many existing enterprise security solutions, it becomes easy for attackers to infect users and network. Organizations using cloud storage apps further amplify the attack vector when the malicious files and payloads is synced across multiple users.

General recommendations

Netskope recommends following course of actions to effectively counter such threats:

  • Detect and remediate all threats at rest in sanctioned cloud services using a threat-aware Cloud Access Security Broker like Netskope.
  • Detect and remediate all threats being downloaded from unsanctioned cloud services using a threat-aware solution like Netskope.
  • Scan files using remote scanning services like Netskope Advanced Threat Protection, that cannot be disabled by malware.
  • Regularly back up and turn on versioning for critical content in cloud services.
  • Avoid opening email attachments if it appears to be coming from unknown sources.
  • Disable automatic unzipping of files and avoid clicking on any JavaScript that comes as zipped archive unless fully verified by the sender or IT administrator.
  • Actively track usage of unsanctioned cloud services and enforce DLP policies to control files and data entering and leaving your corporate environment.
  • Keep systems and antivirus updated with the latest releases and patches.

 

Stay informed!

Subscribe for the latest from the Netskope Blog