Note: The following blog post was migrated from the Elastica/Blue Coat website. It was first published on 6/06/2016. |
Increasingly, cloud storage apps are used to host malware that enables hackers to conduct drive-by download attacks on the fly. The malware hosting URL (publicly available and exposed) is distributed as a part of phishing campaigns or via other third-party cloud platforms such as Online Social Networks (OSNs). In an earlier blog post, we discussed the root-cause of the distribution of Petya ransomware through Dropbox. The post detailed how automated file downloading functionality can be abused by hackers. Unfortunately, cloud apps are not able to identify malicious programs due to the lack of built-in malware detection capabilities. A simple scan is not enough to prevent an infected file from being uploaded to a cloud service.
In this blog post, we will talk about malicious programs that leverage SugarSync cloud storage service to propagate. You can get more info about SugarSync here: http://www.cloudwards.net/review/sugarsync/ | http://online-storage-service-review.toptenreviews.com/sugarsync-review.html
Let’s start the analysis. The malware in question here was distributed through a drive-by download attack. Figure 1 highlights the malicious link that downloaded the malware onto end-user systems.
Figure 1: Downloading of Malware Hosted on SugarSync Cloud Service
We performed a quick analysis on the zipped file. The file contained two additional files as “oldbug.dll”, which is a dynamic link library file and an executable,“cbwqugxyasc.exe”. The information gathered from the dumped headers highlights the fact that the executable was packed using “UPX” packer. As a result, a couple of sections in the executable were compressed. Figure 2 highlights the information collected through a static dump of the“cbwqugxyasc.exe” file.
Figure 2: Static Dump of “cbwqugxyasc.exe” Executable
We also grabbed the header information of the “oldbug.dll” file to understand how the dynamic link library file that was used in conjunction with the malicious executable was created. We found that the DLL file had some APIs such as “IsDebuggerPresent”, “FindWindow”, etc., that were present in the Import Address Table (IAT) that is used to detect debugger. The DLL file had anti-debugging detection logic enabled. So if you are trying to debug the DLL in a debugger, it won’t execute properly. Additionally, other APIs were found such as “ShellExecute”, which was used to execute commands (or executable) in the operating system. Some other APIs were analyzed that were extensively used to steal information through browsers as well as operating systems. The stolen information was then transmitted using a HTTP POST request to the C&C server. Figure 3 highlights the information collected through a static dump of “oldbug.dll” file.
Figure 3: Static Dump of “oldbug.dll” DLL
After analyzing the binary, the command and control (C&C) domain and the URL were found to be hardcoded in the binary itself. Earlier at BlackHat 2014, several techniques were discussed for penetration testing of botnet C&C servers. We used the same set of techniques here and, due to an insecure C&C configuration, we were able to access the C&C panel managed by the attacker. Further investigation proved that the domain was compromised and geographically belonged to “Thailand”. In addition, the C&C panel used the Portuguese language i.e. the admin panel shows artefacts of its “Brazilian” origin. Refer to Figures 4, 5, and 6).
Figure 4: C&C Panel Admin Interface
Figure 5: Access Obtained - C&C Panel
Figure 6: Compromised System Record in the C&C Panel
Additional Information
- The file has now been removed from the SugarSync cloud service. Figure 7 validates it.
Figure 7: Malware File Removed from SugarSync Cloud Service
- The MalwareMustDie Research group has also talked about this malware in its Twitter feed. Kindly follow @malwaremustdie and look for associated tweets to get their take on this malware
- The C&C domain is still active. You can get more info about that in Appendix 1.
- Third-party analysis links:
- We also discovered that the SugarSync Cloud Service was dropping another “FlashPlayer.exe” Binary as shown in Figure 8:
Figure 8: Malware File Served through SugarSync Cloud Service
-
- Appendix 2 highlights the current state of the malware serving URLs on SugarSync
Countermeasures
One of the main concerns is how to prevent malware attacks via the cloud. The following are some typical countermeasures:
- Gain granular visibility into the cloud application traffic as well as network traffic. Elastica’s CloudSOC provides complete visibility into cloud application traffic and how users interact with these apps.
- Blue Coat advanced malware analysis engine, along with CloudSOC, provides the ability to scan all files in cloud applications and shared via links.
- Detect if an abnormal number of files are being encrypted.
- In general, ProxySG and advanced malware analysis integration with Elastica’s CloudSOC provides enterprise users with complete visibility and policy enforcement features. Malware attacks can be either subverted, or the impact can be reduced as enterprises attain visibility into both cloud app and non-cloud app channels.
Appendices:
Appendix 1: C&C Links
- hxxp://www.amnathos.go.th/backup/Contador/painelADM.php
- hxxp://www.amnathos.go.th/backup/Contador/
- hxxp://www.amnathos.go.th/backup/Contador/painel.php
- hxxp://www.amnathos.go.th/backup/images/
- hxxp://www.amnathos.go.th/backup/Contador/index.php
Appendix 2: Malware Downloading Links
- hxxps://www.sugarsync.com/pf/D3250959_07973524_66523?directDownload=true (not cleaned)
- hxxps://www.sugarsync.com/pf/D3251344_07987122_12586?directDownload=true (cleaned)