Netskope researchers spotted a variant of malware campaign dubbed “CloudFanta” which may have been used to steal 26,000 email credentials including addresses, usernames, and passwords.
Researchers said the malware is unique because it uses cloud services to download and deliver the malware and its payloads, infects users by downloading malicious payloads (32-bit and 64-bit executables) for performing data exfiltration, and targets Brazilian users with the usage of similar file names such as NF-9944132-br.PDF.jar and the parameters used to communicate with the C&C server, according to a 25 October blog post.
Victims will typically get an email with links to download a file that is hosted on cloud storage applications, such as Sugarsync.com and Dropbox.com, that once clicked, will download the malicious file.
The authors of the malware also use social engineering tactics via spear-phishing and emails and take advantage of cloud storage application features that allow users the ability to directly download a file that is hosted on the application using a direct download link, Netskope Director of Engineering and Cloud Security Research Ravi Balupari told SCMagazine.com via email comments.
“Since the malware is using this feature, the user who is tricked into clicking a link will NOT be presented with the cloud storage application website to download the file and instead the file will be auto downloaded,” Balupari said. “Along with this, the malware is using phishing techniques by redirecting the user to a phishing page hosted on their machine itself.”
In order to prevent infection, users are recommended to deploy a layer of security that can comprehend and inspect cloud application traffic and also capable of identifying the malicious file downloads
Balupari also said users and enterprises should monitor for credential data and sensitive data leaking out of their network using cloud DLP solutions and enable two-factor authentication whenever possible.