Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Attack Abuses CDNs to Spread Malware

Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.

The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.

The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.

Searching for indicators of compromise is also difficult in such cases, as the affected environments might have a large number of access records made by non-malicious software, the security researchers say.

After the content of said JS snippet is fetched, a function is called to add to the end of the JS snippet a string containing “downAndExec” and two parameters representing the URL where the C&C is hosted, and “x-id” data, which is necessary to download other payloads.

The researchers also discovered that in addition to obfuscation, protection against sandboxing has been implemented as well. Thus, the malicious code isn’t executed if the JS snippet is analyzed separately. Moreover, the script performs a series of checks before executing malicious functions, to make sure that the target machine is of potential interest.

The malware checks for various files, after which it starts looking for folders associated with banking programs such as Bradesco, Itaú, Sicoob and Santander. The researchers suggest that this check is probably intended to prevent activation of malicious functions on computers that are not used for online banking.

Advertisement. Scroll to continue reading.

Finally, the malware also checks whether the target computer is located in Brazil. This shows that the attack is targeted and might also be meant to avoid analysis. The snippet verifies that the customer IP is from a Brazilian AS (autonomous system).

Should the computer meet all conditions, the malware initiates communication with the C&C, which results in the final compromise being performed. In the analyzed incident, the malware downloaded three files, one of which is a banking Trojan.

“As we have seen, the downAndExec technique involves two download stages and several protections, either to identify machines matching the desired profile, or to distribute malicious code in ‘sterile’ sections, which on their own do not execute (in order to bypass online protections), but which, when joined with other pieces of malicious code, are capable of compromising a victim’s computers,” ESET concludes.

Related: Floki Bot Developer Imports Cybercrime Tools to Brazil

Related: PowerShell-Abusing Banking Trojan Goes to Brazil

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.