NetSkope Performs Analysis of CloudFanta Malware

A new report published by NetSkope Threat Research Labs casts some light on CloudFanta malware, which is currently being spread via spearphishing campaigns.

CloudFanta malware was first identified in July 2016 and is known to have been used in upwards of 26,000 credential-stealing attacks. The purpose of the malware is to steal email credentials and monitor online banking activities. Once email credentials have been obtained, messages are sent from the compromised account, while stolen banking credentials are used to make fraudulent transfers. Attacks have been concentrated in Brazil, although the use of CloudFanta malware is likely to spread further afield.

As with many malware campaigns, infection begins with an email attachment or malicious link. The emails use social engineering techniques to trick the user into taking the desired action – visiting the link or opening an infected email attachment.

CloudFanta malware leverages the SugarSync cloud storage app to deliver a JAR file which serves as a downloader for a number of malicious executable Dynamic Link Library (DLL) files. Those files are masked and appear as PNG image files and are used to steal information. After download, the malicious DLL files are renamed and given the .twerk extension.

Communications via the SugarSync app are encrypted, allowing the malware to avoid detection by traditional network anti-virus solutions, next-gen firewalls, and intrusion detection systems. The use of the cloud for hosting malware makes it much easier for the attackers to access the malware and operate undetected. Many security solutions do not effectively protect against cloud-based malware.

Once infected, users are directed to phishing webpages which capture email credentials before redirecting the user back to the genuine email login page. The credentials are then sent to the attackers C&C server. However, CloudFanta malware also monitors online banking activity and cleverly gets around many of the security features of online banks.

Rather than monitoring keystrokes, the malware takes a screenshot of the login page for every click of the mouse. This allows the malware to capture data from the virtual keyboards used by many banks. This method allows the attackers to easily capture banking passwords.

Due to a number of similarities in its mode of action, NetSkope believes CloudFanta malware was developed by the same individuals responsible for CloudSquirrel malware. NetSkope Threat Research Labs has been working closely with both SugarSync and the French hosting company OVH to neutralize the threat and take down the malicious URLs and C&C servers. The company is continuing to actively monitor the CloudFanta malware campaign.

Since the attacks start with a spearphishing campaign, one of the most effective methods for preventing infection is end user training. Software solutions can also be used to block the delivery of spam email and filter the Internet to prevent malicious websites from being visited. NetSkope has also developed a solution to neutralize the threat from malware that leverages cloud services.

As far as is possible, security policies should be developed to prevent the running of executable files, in particular those with an image/png content type. Netskope also recommends enabling the “view known file extension” function in Windows to show files with dual extensions.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of