Financial data stealing malware on the Amazon cloud

There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony. Now Amazon Web Services (cloud) now are being used to spread financial data stealers.

The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection. Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still on-line and active!

More and more criminals use legitimate cloud services for malicious purposes. In most cases, they successfully abuse them.

The malware hosted on Amazons comes with a bunch of different malicious codes, all of them dropped to the victim’s machines and acting in different ways:

  • Acting as a rootlet – looking for and denying a normal execution of 4 different Anti-Viruses and a special security application called GBPluggin and used for Brazilian on-line banking by many banks in that country.
  • Steal financial information from 9 Brazilian and 2 International Banks.
  • Steal Microsoft Live Messenger credentials.
  • Steal digital certificates used by eTokens in the system.
  • Steal information about the CPU, Volume hard drive number, PC name and so on (this information is being used by some Latin American banks during login sessions to the bank in order to authenticate customers).
  • Exfiltrate stolen data in two ways: via email to a cybercriminal’s Gmail account and via special php inserting data to a remote database.
  • Finally, the malicious samples are protected by a legitimate anti-piracy software called The Enigma Protector. The criminals used it in order to make harder reverse engineering process for the analysts.

All samples are detected by KAV as:

  • Trojan-Downloader.Win32.Murlo.lib
  • Trojan-PSW.Win32.MSNer.a
  • Trojan-Banker.Win32.Banz.iok
  • Trojan-Banker.Win32.Banker.blpm
  • Trojan-Downloader.Win32.Homa.fgx
  • Trojan-Banker.Win32.Banker.blbt.

I also hope all malicious links will be deactivated by Amazon soon as well. I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber attacks.

Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud.

Author: Dmitry Bestuzhev, Kaspersky Lab Expert.

Don't miss