Visual depiction of the life cycle of the Cloud Squirrel Attack
Last week we posted an article, giving an overview about the CloudSquirrel malware campaign that takes advantage of multiple cloud apps throughout the kill chain with the intent to steal and exfiltrate user data. We will talk about technical details in this blog.
Listed below are the activities seen in the CloudSquirrel malware campaign:
- Uses a variety of cloud services to download its main payload.
- Uses DropBox for its C&C (command and control) server.
- Infects users by downloading malicious payloads ( 32 bit and 64 bit executables) that collects information about the victim’s machines including the victim’s email account credentials configured in native email clients.
- Primarily affecting Brazilian users based on the facts – file names e.g. “NF-eletronica”, “visualizar boleto” and also the parameter names used in the data exfiltration.
CloudSquirrel malware typically arrives on the user’s machine as an attachment or a link via email. These attachments, and links will generally involve a ‘..’ extension, such as “NF-eletronica-8457348947..Docx.zip”. The delivery mechanism of CloudSquirrel we saw was being distributed using ServInt’s Jelastic Platform-As-A-Service(PaaS). Jelastic redirects to the CloudApp cloud platform which in turn uses Amazon AWS for its backend cloud services as shown in Figure 1.
Figure 1: CloudSquirrel delivery mechanism
The downloaded sample “NF-eletronica-8457348947..Docx.zip” (md5 – F23E27F452C523D95D06371922531C48) is a zip archive that contained a JAR file “NF-eletronica-8457348947..Docx.jar” (md5 – A32F45F7B24FBE474816710BBDB046A6). If the user has not allowed viewing of file extensions in their operating system folder options, the sample would be displayed as “NF-eletronica-8457348947..Docx” without the .jar extension. This tricks the user and makes them believe it is a document file.
Analysis of the JAR file
We decompiled the JAR file and the main class file “vvbdhu.class” contained a list of hard-coded URLs in its code, as shown in Figure 2 below:
Figure 2: URLs present in vvbhdu.class
Three of these URLs referred to Dropbox, while another referred to an IP address. These mp4 files were in fact in plain text format and each of them contained list of URLs, as shown in Figure 3 and Figure 4.
Figure 3: URLs in xxxconfg.mp4
Figure 4: URLs in xxxconf1.mp4 , xxxconf2.mp4 and xxxconf4.mp4
At the time of this blog’s publishing, the IP 45.63.23[.]187 was down, and not serving any payload. Since the IP is down, the malware makes an attempt to download the files from the URLs listed with IP 45.32.186[.]249 sequentially. As soon as it downloads a file successfully, it moves to the next stage of execution. Listed below in Figure 5 is the screenshot of malicious server hosting the files.
Figure 5: Files present inside directory /clientes/dados at the website 45.32.186[.]249
The files stark1.pdf, stark2.pdf, stark3.pdf and stark4.pdf have the extension .pdf but are not real PDF files. They are executable files encrypted with the Data Encryption Standard (DES) algorithm which we decrypted using the code present in the vvbhdu.class file shown in Figure 6.
Figure 6: Encrypt and decrypt routines using DES algorithm referred in vvbhdu.class
The vvbhdu.class file also referred to a key “squirrel123” in its code which is used to decrypt the files as shown in Figure 7.
Figure 7: Static key “squirrel123” used for encryption and decryption referred in vvbhdu.class
We made an attempt to manually decrypt the files using the key “squirrel123” as shown in Figure 7, but were unsuccessful. Since a DES key is typically 8 bytes long, we tried with “squirrel” and successfully decrypted the files. In Java, though the DES key is more than 8 bytes long, it considers only the first 8 bytes due to which the execution of the JAR file worked perfectly without giving an exception.
Using the key “squirrel”, the encrypted files were decrypted to the following executables with predefined names OutFileHome.exe, OutFileBreak.exe, Ifgtray.exe and OIgfNswv.exe as shown in Figure 8. These files are saved under “%APPDATA%” in random folder name.
Figure 8: Predefined executable names present in the class file
Analysis of the 4 dropped executable files
The following Table 1 provides additional details around the 4 decrypted files.
File name | MD5 | Application | Packer |
IgfTray.exe | 6276CB1C74D736BC493D5474C04C4781 | 32-bit Executable | VMProtect |
OIgfNswv.exe | F7DF2D29EDF85E7A05C90474FD4B9BE7 | 32-bit Executable | VMProtect |
OutFileBreak.exe | D1C35FF526FC5B5866B889D9957CA361 | 64-bit Executable | VMProtect |
OutFileHome.exe | 60336413E419C2EA5E215F1A32061E40 | 64-bit Executable | – |
Table 1: Details of the dropped files from the execution of NF-eletronica-8457348947..Docx.jar
OutFileHome.exe
We did not observe any activity performed by OutfileHome.exe as shown in Figure 9. The sample is likely a benign file that has the icon and properties of Windows notepad Application.
Figure 9: Message displayed on execution of OutFileHome.exe
Ifgtray.exe
Upon execution of Ifgtray.exe, it dropped two additional utility executables, VIEW.exe and VIEWS.exe related to Nirsoft, a website that provides freeware utilities, in the %temp% directory with details as shown in Table 2, below.
File name | MD5 | Application |
VIEW.exe | 5F6E36DC418B9EF021D7AD958549722C | 32-bit Executable |
VIEWS.exe | 5E59D5F0EEB20FA9F598D56284FADA98 | 32-bit Executable |
Table 2: Details of the dropped files from the execution of Igftray.exe
VIEW.exe is a OutlookAddressBookView utility that displays the details of all recipients stored in the address books of Microsoft Outlook.
VIEWS.exe is an e-mail password recovery utility that reveals the passwords and other account details stored for various accounts that are configured on the local email clients/applications on the victim’s machine