SESSION ID:SESSION ID:

#RSAC

Abhinav Singh

Malware-as-a-Service – When Your Cloud Begins to Rain Malwares!

TTA – R03

Cloud Security ResearchNetskope Inc.

#RSAC

About Netskope

2

‣ 350+ employees globally, including North America, Europe, and Asia-Pacific

‣ Early distinguished architects from large traditional security companies

‣ First comprehensive CASB patent. 45+ patent claims across four categories, with 100s of patents pending

‣ The world’s largest bank, automaker, pharmaceutical, payment processor, consulting firm, insurance, energy, oil and gas, retail and healthcare companies trust Netskope.

#RSAC

Agenda

3

Malware in the cloud – myth or reality?

Brief History of Malware campaigns utilizing cloud services

Generic Cloud threats like Malware “Fan-out” effect and

“Man-in-the-cloud”.

Detailed analysis of cloud based malware campaigns

Adoption of service based models by cyber criminals

Recommended Actions

#RSAC

4

#RSAC

5

What is malware doing in the Cloud?

File Infrastructure

SaaS

IaaS

SaaS + IaaS

PaaS

#RSAC

6

cute-Ransomware

(7/12/16)

Zepto(Locky variant)

(7/16/16)

URSNIFData Theft

(8/2/16)

VirlockRansomware

(9/27/16)

CloudSquirrel(7/15/16)

Zepto Deliveredvia DLL

(9/9/16)

CloudFanta(10/18/16)

NitolBotnet

(10/14/16)

CerberRansomware

(6/30/16)

Cloud Based Malware Timeline

Virlock’sResurgence(1/30/17)

Ransomware +Click Fraud(1/30/17)

New Variantsof Locky

(12/15/16)

Cloud Phishing(1/18/17)

Cloud CRM Attack Vector(2/09/2017)

Targeted Attack Campaign

with Multivariatemalwares

(3/08/2017)

Godzilla BotnetAnalysis

(4/07/2017)

Google DocCloudPhishing(5/04/2017)

#RSAC

Generic Cloud threat Concepts

7

Malware “fan-out” effect.

Man-in-the-cloud (MITC)

#RSAC

Malware “fan-out” Effect in an Enterprise Cloud

#RSAC

Man-in-the-cloud Affecting cloud Applications

9

Token A Token B

#RSAC

CloudSquirrel Malware Campaign CloudFanta Malware Campaign

Malware Campaigns utilizing the Cloud

#RSAC

Brief Technical Analysis

CloudSquirrel CloudFanta

#RSAC

Phishing In the Cloud

12

File decoys hosted in the cloud

Documents used for phishing attacks

against popular cloud applications.

#RSAC

CloudPhishing

13

#RSAC

Ransomware with Benefits!

Ransomware attacks with blended threats.

Cloud Sharing & Collaboration turn it into an

elevated threat.

Encrypts files and also infects same files

14

Polymorphic Code

Malware Code

Clean Code

Polymorphic Code

Ransomware Blended Threats

Wormed Ransomwares

#RSAC

15

• Rapidly the entire peer network is infected

• Many collaborative files are infected and encrypted many times.

• Many ransoms to be paid, perhaps a bulk discount can be negotiated?

#RSAC

Advance Malware Families utilizing the Cloud

16

Carbanak Banking Trojan

Inception Framework

#RSAC

Carbanak Banking Trojan APT

17

Group of financially motivated cyber criminals, first seen in 2015.

Hides in plain sight.

Uses Google App script, Google sheet and Google forms service to build a command and control service.

#RSAC

18

Request for UUID11Check for the existence of

Google Sheet for the unique ID

Create

Found

Read the Google Sheet content for

Commands to Execute

Read the Google Sheet content for

Commands to Execute

Write

Carbanak Banking Trojan APT

#RSAC

Inception Framework (Cloud Hosted APT)

19

Initially targeted at Russia, but expanding globally

Clean and elegant code suggesting strong backing and top-tier talent.

Includes malware targeting mobile devices: Android, Blackberry and iOS.

Using a free cloud hosting service based in Sweden for command and control.

#RSAC

Service Based Models adopted by Cyber Criminals

• Has been around since early 2012.

• Major dealers include exploit kit sellers, botnet controllers and click fraud operators.

• Current portfolio includes:• Ransomware-as-a-Service(RaaS)• Phishing-as-a-Service(PhaaS) • Crimeware-as-a-Service

#RSAC

21

#RSAC

22

MaaS PaaS

#RSAC

How to detect Malwares propagating through Cloud

#RSAC

Recommended Actions (“Apply”)

24

Detect and remediate all threats at rest in sanctioned cloud services.

Detect and remediate all threats being downloaded from unsanctioned cloud services.

enforce policy on usage of unsanctioned applications as well as unsanctioned instances of sanctioned cloud applications.

Enforce DLP policies to control files and data en route to or from your corporate environment.

Regularly back up and turn on versioning for critical content in cloud services.

Need to track both managed as well as unmanaged devices accessing the cloud services.

#RSAC

Thank You!

M.Tech Booth #D02