Yesterday our colleagues from Paloalto networks presented a research uncovering Minidionis (also known by the Kaspersky codename – “CloudLook”). It’s an another backdoor from APT group responsible for other attacks such as CozyDuke , MiniDuke, and CosmicDuke.
Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems. Almost one year ago, we observed another APT group codenamed “CloudAtlas” (link), also using cloud drives to store the stolen information. And now we see a similar technique in CloudLook/Minidionis.
Minidionis uses multidropper scheme to infect it victims. Usually attacker’s uses spear-phishing emails with a self-extracting archive pretending to be a voicemail. When victim opens an archive the second stage dropper executes and a .wav file plays looking like a real voicemail. Also attackers were using a self-extracting archive containing a PDF file luring it’s victims with information regarding world terrorism:
After successful execution the second stage dropper of Minidionis malware uses Onedrive cloud storage to download payload from:
The malware maps an Onecloud storage drive as network drive using hardcoded login and password, and then copies files that stored in cloud to the local system:
Could this approach become a mainstream? It’s quite possible, because it gives the attackers a simple method of hiding malicious behavior – detection of to-the-cloud malicious traffic is more complicated as it means also blocking legitimate services.
According to Kaspersky Security Network, every single attack using Minidionis/CloudLook backdoors was specifically crafted for a particular target. This indicates that the attacks are highly customized and focused on value targets. So far, we’ve observed several targets, most notably in diplomatic organizations from Europe.
Kaspersky Lab detects all known samples of Minidionis/CloudLook as Trojan.Win32.Generic, and successfully protects its users against the threat.