A new malware campaign dubbed CloudFanta is suspected to be behind the theft of 26,000 email credentials and also monitors online banking activities.
Netskope Threat Research Labs said that CloudFanta has been in operation since July 2016 and primarily targets Brazilian users. Unlike the grape or orange, horrible-for-you but oh-so-delicious soft drink that it shares its name with, CloudFanta arrives as much malware does: Via an attachment or a link in a spear-phishing email.
But from there, its modus operandi demonstrates the effective use of cloud services for hosting malware by malicious threat actors—it uses a popular online storage app to complete the infection cycle.
“We observed the CloudFanta malware using the SugarSync cloud storage app for delivering a JAR file that functions as a downloader…for DLL files,” Netskope said in an analysis. “[These] are responsible for stealing the victim’s email credentials, sending malicious emails on behalf of the victim and also for monitoring victims’ online banking activities.”
The DLL files are initially delivered with the .png extension, which, along with the use of SSL/HTTPS communication with SugarSync,s allow CloudFanta to stay under the radar of a number of traditional, network-based security solutions.
“The use of cloud services makes the delivery of malware very easy, effectively making it easier to compromise and gain access to users’ data,” Netskope said. “This clearly signifies an urgent need for enterprises to employ a multi-layered security approach with a strong focus on cloud services.”
Enterprises should track the usage of unsanctioned cloud services and enforce DLP policies to control files and data entering and leaving the corporate environment; and, they should create a security policy to block portable executable files with content type “image/png.”
Standard best practices also apply: Regularly back up and turn on versioning for critical content in cloud services; warn users to avoid opening untrusted attachments regardless of their extension or file name; enable two-factor authentication for email and banking accounts as a safety measure to prevent attackers from accessing the email account even if they know the password; and keep systems and antivirus updated with the latest releases and patches.
Photo © LeoWolfert