This document discusses how threat actors are increasingly using cloud services as an attack vector. It provides examples of malware campaigns that have used cloud services for hosting payloads, command and control, and spreading malware. Specifically, it outlines campaigns that have used Amazon S3, Dropbox, Google Drive and other cloud platforms at various stages of the attack lifecycle. The document recommends that organizations inspect cloud traffic, block unnecessary cloud services, and block unsanctioned instances of needed services to better protect their cloud security posture.

1. 2020 © Netskope. All rights reserved.
Cloud as an attack vector
Ashwin & Rushikesh

2. Rushikesh Vishwakarma
● Member of Technical Staff, Netskope
○ Cloud Security Enthusiast
○ Identifying the malware & phishing services using cloud
○ https://www.netskope.com/blog/author/rushikeshvishwakarma

3. Ashwin Vamshi
● Staff Security Research Engineer, Netskope
○ Interest in targeted attacks and malwares using cloud services
○ Speaker @ RSA, Defcon, Bsides
○ https://www.netskope.com/blog/author/ashwinvamshi
○ https://www.linkedin.com/in/ashwinvamshi

4. Cloud Transformation
❖ Enterprises are moving towards Cloud
➢ The traffic has moved from static websites to cloud
❖ Evaluations ?
➢ Do we know what is shared responsibility ?
■ Are we having enough controls ?
➢ What is our security posture ?
❖ Threat actors
➢ I can haz Cloud

6. Cloud Security Posture

7. File Infrastructure Platform
Malware in the Cloud

8. Motivation for Threat actors to use Cloud
❖ Implicit trust
❖ Ease of use and abuse
❖ Reduces the infrastructure overhead
❖ More powerful than traditional hosting or computing services
❖ Significantly cheaper than traditional attack methods (No DGA or BPH needed)
❖ Protection by default (encrypted traffic, API driven communication, etc)

9. Alright … Light, action, Cloud

10. 1
0
https://exceldocshare.blob.core.windows.net
q3vdQApX
john.doe@netskope.com

11. Agenda
❖ Detail specific attack patterns with the theme: Malware in the Cloud (MITC)
➢ Cloud as a malware hosting platform
➢ Cloud as a command and control channel
➢ Cloud as a platform to spread malware
➢ Cloud as a platform to host Crimeware as a Service
❖ How to protect against cloud threats

12. 2020 © Netskope. All rights reserved.
Cloud as a malware hosting platform

13. Cloud squirrel
❖ Infostealer campaign
➢ Targets Brazilian users
❖ Infection vector
➢ Phishing email attachment with double extension
➢ Embedded link to a cloud service → JAR file
❖ Multi-stage cloud app abuse
➢ Jelastic → CloudApp → AmazonAWS → Dropbox
❖ Downloads next stage DES encrypted payloads
https://www.netskope.com/blog/netskope-threat-research-labs-technical-analysis-cloudsquirrel-malware-2

14. Servint
Jelastic
AWS
CnC
View.exe
Views.exe
igftray.exe
OutFileBreak.exe
Olgfnswv.exe
Encrypted DES
Payloads
JAR File
Exfiltrated Data
Machine Data
CloudApp
Cloud squirrel depiction
DropBox
CnC
CnC
Clean up
1
2
3

15. ShortJSRAT
❖ Scriptlets using the “Squiblydoo” technique
❖ Bypasses application whitelisting solutions like Windows Applocker
❖ Uses Cloud services for downloading the next stage payloads
➢ Google Shortener, Dropbox, Github
https://www.netskope.com/blog/shortjsrat-leverages-cloud-scriptlets

16. Dropbox
Cloud Storage
http://goo.gl/kq92ka
Dropbox/1.sct
1.sct
2.sct
ShortJSRAT Depiction
1
2
Dropbox/2.sct

17. 2020 © Netskope. All rights reserved.
Cloud as a command and control channel

18. Xbooster parasitic miner
❖ Parasitic Monero mining malware campaign
❖ Pay-per-install (PPI) & pay-per-click (PPC)
❖ Amazon S3 → Downloader, C&C
❖ GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS
■ 401.52 XMR (~$100,000) using 21 unique Monero accounts & 293 workers
https://www.netskope.com/blog/xbooster-parasitic-monero-mining-campaign

19. Drive by
Download
Pay per Install
1
3
2
4
DistribLauncher.exe
Xmrig.exe
Distrib.zip
Manager.exe
DBupdater.exe log.txt
Victim Machine details
Amazon
ytracker.cf/click.php?cnv_id
Xbooster Depiction
EC2/Silent updater
stratum+tcp://xmr-eu1.nanopoll.org:14444
AWS/distrib.zip
AWS/DBUpdater.exe

20. 2020 © Netskope. All rights reserved.
Cloud as a platform to spread malware

21. Malware fanout
❖ Malware infection spreading through cloud
❖ Virlock (Wormed Ransomware )
➢ Infects and encrypts files
➢ Infected files propagate via cloud
➢ Victims implicitly trust internally shared
files
❖ Rapidly the entire peer network is infected
https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware
https://www.netskope.com/blog/stepping-stone-attack-launches-eternalblue-internally

22. Cloud
Sync
Cloud Storage
Embedded LNK document EternalBlue
Exploit
Embedded LNK document
Embedded LNK document
EternalBlue
Exploit
Shared Users
Eternal Blue + cloud fanout
Email Attachment
with Embedded LNK

23. Cloud phishing fanout
❖ Victim shares bait via cloud app
➢ Secondary propagation vector - cloud sync email attachments
➢ Secondary victims lose context - where did the file originally come from?
❖ “Default allow” action in popular PDF readers
➢ No warnings after you allow a domain
➢ Attacker can easily deploy multiple attacks over same domain
https://www.netskope.com/blog/decoys-phishing-cloud-latest-fan-effect

24. Whats next !!!
https://www.dropbox.com/s/31x4e7a25kp2tuk/scan_0009182764501.exe?dl=1

25. Default Allow policy

26. Did you audit trust manager ?

27. Pardot CRM attack
❖ Spreads via Salesforce Pardot
➢ 12 unique URLs
❖ Pardot delivers infected zip
❖ Zip contains malicious lnk file
❖ Lnk file downloads Trickbot from Google docs
https://www.netskope.com/blog/pardot-crm-attack

28. Google Drive
Pardot CRM
Readme_print_doc.lnk
Partner
Vendor
User
Victim
storage.pardot.com/../Readm_Print.zip
NaFhl.exe
docs.google.com/../3829_93_93.pdf
Pardot CRM Attack Depiction
1
2
3
4

29. 2020 © Netskope. All rights reserved.
Cloud as a platform to host crimeware as a service

31. ❖ PhaaS: Hosted in Amazon, Evennode, Now.
❖ Phishing pages hosted in Pomf clones
➢ SSL powered
➢ Designed to mimic login pages of
popular services like Microsoft, Google
Docs, Dropbox, and DocuSign
❖ Victims credentials recorded via websockets
Hackshit - Phishing as a Service
https://www.netskope.com/blog/resurgence-of-phishing-as-a-service-phaas-platforms

32. Hackshit PhaaS - Generator Page

33. Cloud-enabled kill chain
33
Cloud Security Posture
Tactics
Techniques
Procedures
SSL powered
Valid domain / Certificate
Collaboration
Sync
Fanout effects
Cloud Payloads / Malware
Whitelisted / Popular Domains/IPs
Stage downloader
C&C
Data Exfiltration
Lateral Movement

34. Cloud malware commonalities
❖ Users trust cloud services
❖ Users trust cloud files shared by coworkers and partners
❖ Blocking cloud malware is hard - you can’t just block the app

35. Recommendations
❖ Inspect your cloud traffic
❖ Block services you don’t need
❖ Block unsanctioned instances of services you do need

36. Thank You!
Blog
netskope.com/threat-labs
Report
netskope.com/cloudreport