Minidionis: a malignant rain from the cloud

Minidionis is yet another backdoor from the same APT group responsible for CozyDuke, MiniDuke, and CosmicDuke – this time with some “cloud” capabilities.

Just yesterday we blogged that ransomware-related news stories look like war chronicles. The same is actually true for APTs, and for the same reason: an elevated attention. In fact, APTs tend to make  grounds for it repeatedly. The latest announced APT malware, codenamed Minidionis (aka CloudLook), is able to use cloud drives for its purposes, which is bad news for businesses actively using legit cloud services for their needs.

Minidionis is yet another backdoor from the same APT group responsible for CozyDuke, MiniDuke, and CosmicDuke.

“Analyzing this malware, we noticed that attackers implemented a cloud drive capability to store malware and download them onto infected systems. Almost a year ago, we observed another APT group named “CloudAtlas” using cloud drives to store stolen information. Now we see a similar technique in CloudLook/Minidionis”, writes Sergey Lozhkin at Securelist.

CloudLook is also interesting in that it uses PDF files (containing the information regarding world terrorism) and even fake voicemails (.wav files) attached to their spear-phishing emails.

This APT malware is actually used in very narrowly targeted attacks, apparently preceded with extensive reconnaissance in order to ensure success. Technical details are available at Securelist and Palo Alto Networks.

If the malicious payload has been executed, stage two is initiated: a dropper downloads a new payload from Microsoft’s Onedrive cloud service storage.

“The malware maps a Onecloud storage drive as a network drive using a hardcoded login and password, and then copies down its cloud-stored backdoors to the local system”, Lozhkin writes, and then suggests that an approach like this may soon become mainstream. “It effectively gives the attackers a simple method of hiding malicious behavior”, Lozhkin said, explaining that detecting malicious traffic with legitimate cloud services is a complicated thing. This would actually require blocking legitimate services as well.

Cloud services have gone mainstream as of a few years ago. Concerns of the security (and the level of owner’s control) of data stored therein rose almost immediately – as have the concerns on whether cloud services can be used for malicious purposes. It appears they can be, and this actually not the first time Kaspersky Lab’s experts detected malware coming from leased storage.

Even though cloud operators insist their resources are secure, there’s little they can do with the miscreants who have personal accounts with Onedrive, Dropbox, iCloud, etc. when they upload their brand new attacking tools, obfuscated and encrypted, in order to smuggle it to the victims’ boxes later on.

Businesses that use cloud storage would barely be willing to drop it. This creates a slight (for now), but a real possibility that it will be exploited to deliver malware, APT-related or not.

How to counter it? A local security solution should be in place, scanning all of the traffic coming from the cloud storage; an antimalware solution capable of behavior analysis to prevent unknown malware and exploits from executing should help as well, and of course, antiphishing tools are an absolute must. All of these functions are present in Kaspersky Lab’s business security suites. Take a look.