Visual depiction of the life cycle of the Cloud Squirrel Attack
Last week we posted an article, giving an overview about the CloudSquirrel malware campaign that takes advantage of multiple cloud apps throughout the kill chain with the intent to steal and exfiltrate user data. We will talk about technical details in this blog.
Listed below are the activities seen in the CloudSquirrel malware campaign:
- Uses a variety of cloud services to download its main payload.
- Uses DropBox for its C&C (command and control) server.
- Infects users by downloading malicious payloads ( 32 bit and 64 bit executables) that collects information about the victim’s machines including the victim’s email account credentials configured in native email clients.
- Primarily affecting Brazilian users based on the facts – file names e.g. “NF-eletronica”, “visualizar boleto” and also the parameter names used in the data exfiltration.
CloudSquirrel malware typically arrives on the user’s machine as an attachment or a link via email. These attachments, and links will generally involve a ‘..’ extension, such as “NF-eletronica-8457348947..Docx.zip”. The delivery mechanism of CloudSquirrel we saw was being distributed using ServInt’s Jelastic Platform-As-A-Service(PaaS). Jelastic redirects to the CloudApp cloud