A new cloud malware strain called CloudFanta has been compromising users in Brazil, and it's expected to spread...
beyond South America.
CloudFanta is different from other malware because of the way it spreads. Like a lot of malware, it is first delivered via a phishing email with a malicious attachment. However, this is only the first stage of an infection. Whereas most malware might then contact a command and control server, CloudFanta uses a popular cloud storage site called SugarSync. The link in the email is a direct download, so the user isn't even shown the SugarSync page.
Once a user clicks the link, it automatically downloads the malicious part of the malware from SugarSync in the form of a Java file. This file is obfuscated by using a double extension, .PDF.jar, which, on most systems, will only show up as .PDF, therefore tricking the user into thinking he is opening a document. Once run, the Java file will then download dynamic-link library files masquerading as PNG image files. This obfuscation is designed to bypass antivirus and firewall protections. The connection to SugarSync is encrypted, further increasing the malware's ability to go undetected.
Once installed, the CloudFanta malware is quite typical in its function, waiting for the user to visit online banking or email sign in pages. The users are then redirected to a phishing site that looks identical to the real page, and when they enter their username and password, these are sent to the attackers. The malware is also used to send further spam emails from the victims' accounts.
SugarSync would be an unusual service to allow in a corporate environment, but to prevent this particular strain on cloud malware, ensure access to it is blocked. It is also important that the enterprise's network security tools and services be able to detect malware in sanctioned and unsanctioned cloud services.
At a user level, ensure that the staff are encouraged to use two-factor authentication for online banking and email. This prevents the attackers from being able to authenticate to the service even if they do have the username and password, and is highly effective at stopping this type of attack. The most important defense is security awareness training for staff that covers common phishing techniques -- if users know not to click links in emails or open attachments they are not expecting, then it significantly limits the risk of a phishing attack being successful.
Although CloudFanta is a very specific threat, it demonstrates a growing trend in malware authors using innovative delivery mechanisms to attempt to defeat traditional network security systems and covertly introduce malware onto corporate networks.
This specific example may be localized and may not affect a huge volume of users, but it is the usage of the cloud as a delivery platform that is interesting. It gives further credence to the need for organizations to understand what cloud services are accessible to and ensure that both sanctioned and unsanctioned cloud services are adequately secured.
Learn how hackers are using Twitter as command-and-control servers for malware
Find out more about the growing threat of cloud malware to cloud service providers
Discover how cloud synchronization facilitates the spread of malware