Netskope Threat Research Labs has observed ongoing targeted attacks in enterprise cloud environments that lead to a malware fan-out effect through automated syncing and sharing of files in the cloud. While monitoring this attack, we captured several instances where the synced filenames were similar to the email addresses of the attack victims. These attachments are often automatically synced to cloud storage applications using file collaboration settings in popular SaaS applications like Office365, Google mail etc. This auto-syncing feature can also be achieved through third party applications as well. Since the filenames appear less suspicious, they are more likely to be viewed as coming from within the organization (and therefore trusted) and shared with others in the same user group.
Figure 1 illustrates this effect in a cloud environment and how Netskope detects the attack patterns at various stages.
Figure 1: Infection propagation in the Cloud
The synced files were all zipped and contained obfuscated JavaScript. Over the course of this campaign, Netskope Threat Protection detected variations in both zipped JavaScript as well as the final payload that would be delivered once the JavaScript was executed. Changes in JavaScript were limited to varying obfuscation techniques, but there were three variations in final payload over the course of time. The payload’s variations were associated with keyloggers, remote access trojans, and more importantly, ransomware. Some of these samples would disable endpoint antivirus software, leaving the enterprise to rely on a remote scan engine like Netskope Threat Protection.
Consider the example recipient as [email protected], we noticed following variations in attachment names for the targeted emails:
Joey.tribbiani[0-9A-Z]{6,8}_[0-9A-F]{6,8}.zip
Joey.trbbiani_proposal_[0-9A-F]{6}.zip
Pdf_letter-joey.tribbiani_[0-9A-F]{6}.zip
Attack Vector
The attack vector follows the usual infection pattern in which the attached zip file contains an obfuscated JavaScript. We have noticed variations in the wrapper JavaScript indicating that the attackers were attempting multiple ways to circumvent the corporate environment. Netskope Threat Protection detects the attached zip file and obfuscated JavaScript inside as Gen.Downloadrs.B1F4C42E,Gen.Downloadrs.10CC4FE0 and Generic.JS.DownloaderS.B1F4C42E respectively.
Obfuscated JavaScripts
During our investigation, we observed two variations of the obfuscated JavaScript that were delivered as zip atta