閉める
閉める
明日に向けたネットワーク
明日に向けたネットワーク
サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。
          Netskopeを体験しませんか?
          Netskopeプラットフォームを実際に体験する
          Netskope Oneのシングルクラウドプラットフォームを直接体験するチャンスです。自分のペースで進められるハンズオンラボにサインアップしたり、毎月のライブ製品デモに参加したり、Netskope Private Accessの無料試乗に参加したり、インストラクター主導のライブワークショップに参加したりできます。
            SSEのリーダー。 現在、シングルベンダーSASEのリーダーです。
            SSEのリーダー。 現在、シングルベンダーSASEのリーダーです。
            Netskope、2024年ガートナー、シングルベンダーSASEのマジック・クアドラントでリーダーの1社の位置付けと評価された理由をご確認ください。
              ダミーのためのジェネレーティブAIの保護
              ダミーのためのジェネレーティブAIの保護
              ジェネレーティブ AI の革新的な可能性と堅牢なデータ セキュリティ プラクティスのバランスを取る方法をご覧ください。
                ダミーのための最新のデータ損失防止(DLP)eBook
                最新の情報漏えい対策(DLP)for Dummies
                クラウド配信型 DLP に移行するためのヒントとコツをご紹介します。
                  SASEダミーのための最新のSD-WAN ブック
                  SASEダミーのための最新のSD-WAN
                  遊ぶのをやめる ネットワークアーキテクチャに追いつく
                    リスクがどこにあるかを理解する
                    Advanced Analytics は、セキュリティ運用チームがデータ主導のインサイトを適用してより優れたポリシーを実装する方法を変革します。 Advanced Analyticsを使用すると、傾向を特定し、懸念事項に的を絞って、データを使用してアクションを実行できます。
                        レガシーVPNを完全に置き換えるための6つの最も説得力のあるユースケース
                        レガシーVPNを完全に置き換えるための6つの最も説得力のあるユースケース
                        Netskope One Private Accessは、VPNを永久に廃止できる唯一のソリューションです。
                          Colgate-Palmoliveは、スマートで適応性のあるデータ保護により「知的財産」を保護します
                          Colgate-Palmoliveは、スマートで適応性のあるデータ保護により「知的財産」を保護します
                            Netskope GovCloud
                            NetskopeがFedRAMPの高認証を達成
                            政府機関の変革を加速するには、Netskope GovCloud を選択してください。
                              一緒に素晴らしいことをしましょう
                              Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。
                                Netskopeソリューション
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange(CE)は、セキュリティ体制全体で投資を活用するための強力な統合ツールをお客様に提供します。
                                  Netskopeテクニカルサポート
                                  Netskopeテクニカルサポート
                                  クラウドセキュリティ、ネットワーキング、仮想化、コンテンツ配信、ソフトウェア開発など、多様なバックグラウンドを持つ全世界にいる有資格のサポートエンジニアが、タイムリーで質の高い技術支援を行っています。
                                    Netskopeの動画
                                    Netskopeトレーニング
                                    Netskopeのトレーニングは、クラウドセキュリティのエキスパートになるためのステップアップに活用できます。Netskopeは、お客様のデジタルトランスフォーメーションの取り組みにおける安全確保、そしてクラウド、Web、プライベートアプリケーションを最大限に活用するためのお手伝いをいたします。

                                      Pardot CRM Attack

                                      Aug 08 2019

                                      On 5 August 2019, Netskope Threat Research Labs discovered an attack campaign propagated through Pardot, a cloud-based Customer Relationship Management (CRM) by Salesforce. The attack kill chain begins with the delivery of a zip file, containing a lnk file that downloads the next stage of the attack, a Trickbot payload from Google docs. 

                                      This attack is noteworthy for the following reasons

                                      • Malicious files residing inside cloud CRM services are typically viewed as internal files
                                      • Users of cloud CRM platforms have a high level of trust in the software because they view the data and associated “links” as internal (even though they are in the cloud)

                                      In this blog, we will provide an analysis of the attack kill chain and how these types of attacks can be prevented with threat protection policies that offer app-level granularity.

                                      Netskope Detection

                                      Netskope Advanced Threat Protection detects the malware associated with these attacks as Gen.Malware.Detect.By.TI.

                                      Disclosure

                                      Netskope reported the associated Pardot sites hosting malware to the Salesforce security team on 5 August 2019. Additionally, the google docs hosting malware was reported to Google on 6 August 2019.

                                      CRM as an attack vector

                                      A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows). The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.

                                      This is a critical compromise, since some of the users may be operating on a device that they view as relatively hardened against malware. This makes them less likely to scrutinize the attachment. That said, other users involved in the customer relationship process may be accessing the CRM from a compromised endpoint. As per our analysis, and to the best of our knowledge, we have discovered the first attack of this nature from Pardot CRM.  This means that users are also likely to be less suspicious of this particular app because they are unaware that it could be compromised.

                                      Attack Kill chain

                                      The attack begins with the ZIP archive containing a lnk file downloaded from Pardot storage. On execution, the lnk file downloads the next stage executable payload masqueraded as PDF file from Google docs. The depiction of the attack kill chain is shown in Figure 1.

                                      Figure 1: Attack kill chain 

                                      Technical Analysis

                                      The malware we first identified was a zip file delivered via pardot link, https://storage.pardot[.]com/120642/87655/Readme_Print.zip. The ZIP file contained a lnk file, Readme_Print.doc.lnk with an argument to load a script file in the %temp% with an argument as shown in Figure 2 .

                                      Figure 2: Command line argument used by the link file

                                      The malware authors used a clever tactic in appending the malicious code after the argument function to evade traditional security scanners. On a similar note, this tactic even evades the tools like lnk-parser, which normally doesn’t display this data.

                                      The obfuscated script is present after the NetBIOS name field in the lnk file as shown in Figure 3.

                                      Figure 3: Obfuscated VBcode in the lnk file

                                      The script used character obfuscation to mask the code. The deobfuscated script can be easily obtained by changing the “execute” into “wscript.echo”. An excerpt of the obfuscated script is shown in Figure 4.

                                      Figure 4: Deobfuscated VBcode

                                      As mentioned in the above image, this script downloads the next stage payload from Google docs. A masqueraded executable (PE) file named “3829_93_93.pdf” is downloaded to the %temp% location from Google docs and renamed to NaFhI.exe and detonated. 

                                      The second stage payload is a Visual basic executable belonging to the malware family named Trickbot, that performs code injection and contains many infostealer modules that steal banking related data. This malware family has also been reported in a Salesforce Knowledge base article.

                                      The events captured by our Netskope Advanced Heuristic analysis engine, Netskope AI powered by Cylance and Netskope Cloud Sandbox is shown in Figure 5, Figure 6 and Figure 7.

                                      Figure 5: Events from Netskope Advanced Heuristics

                                      Figure 6: Events from Netskope AI

                                      Figure 7: Events from Netskope Cloud Sandbox

                                      The behavioral execution flow captured by the Netskope Cloud Sandbox is shown in Figure 8.

                                      Figure 8: Execution flow in Netskope Cloud Sandbox.

                                      The malware also posts data to the C2 172.238.117[.]187 as shown in Figure 9.

                                      Figure 9: C2 connection to 172.238.117.187

                                      VirusTotal records show similar post request URLs reported from this IP from late June 2019.

                                      Attack campaign Threat Intel

                                      Based on the attack pattern, passive DNS results and our own threat intelligence framework, we identified 12 similar URLs delivering malware from Pardot Storage. Additionally, we identified 16 lnk files attributed to the NetBIOS name “win-jbf0q9el659”. Based on the timeline and events, we expect the threat actors will continue to scale these attacks across potential targets.

                                      Conclusion

                                      This post details the discovery of a malware hosted and propagated through Pardot CRM. Cloud CRM services store an organization’s most critical customer data, and deliver those data to corporate users via the web. Malicious files residing in popular cloud CRM services can be shared/collaborated on within an organization’s cloud CRM service to make their way into cloud CRM services, thereby creating a new malware attack and propagation vector. 

                                      While Netskope Threat Research Labs has reached out to SalesForce to take down the attack elements, we will continue to monitor the delivery mechanism and developments of this campaign. 

                                      Indicators of Compromise

                                      Hashes → ZIP files

                                      7df177b164c352ceccdab988a7ee255d

                                      12f6fd9f27681bf86e99cce8160b33bf

                                      b2e936d3b529486ccb27382bd0c8d174

                                      3b682290a0a9c09a213c11d1e83f87c3

                                      34bbe2d74ae0c941f796c4f4243c465d

                                      2c13e04f08d5f0042645420babd7b721

                                      126d011a71acb1206d545df7ecbb4de3

                                      9eecbb8c232ac55e663b20ddc86ef83d

                                      466828341e2fe5358c145827618157ae

                                      3593c4ce813c5faf1b5cdd4cd1f781e8

                                      1153b0f48b78da341f0dbd85a7b15d71

                                      Hashes → lnk files

                                      95d70dee15417cc1872eb813fc23c3a1

                                      ee4e5b2df114a4f76238a0a8b012f46c

                                      c17cd9e49cecd49cf957bc9eb5f851c8

                                      12544f796e57cbddbda1dcb8993ee914

                                      9f306aca85874e9202a2c50d21876065

                                      eec8649922819af1fab6000ea8dee1ed

                                      4a1e42387c11beee2f6ed714e1cc0d28

                                      795d6f1601eca20f31ae83b602ee328e

                                      9bae6843b4d82444f80727fecec59c09

                                      35d7a9f5549bf968b02b1971b57801a5

                                      acfb9f89c421d4b52dd9a8ef86967cd2

                                      Hashes →  Second stage Downloader

                                      f4c2cb6270631260d5b8d9ff00fbfddf

                                      4abb6f6cbd18258b9ef05083c2a817ca

                                      7df9534d3c477feda474bf3de036d4d9

                                      c444894cc5d28eaf1daad16d5d8832fa

                                      author image
                                      Ashwin Vamshi
                                      Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services.
                                      Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog