There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection. Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still on-line and active! It’s worth mentioning that more and more criminals use legitimate cloud services for malicious purposes. In most cases, they successfully abuse them.

Now, just few words about malware hosted on Amazons WS Cloud:

It comes with a bunch of different malicious codes, all of them dropped

to the victim’s machines and acting in different ways:

Acting as a Rootkit – looking for and denying a normal execution

of 4 different Anti-Viruses and a special security application called

GBPluggin and used for Brazilian on-line banking by many banks in that

country:

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgwdsvc.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgchsvx.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgtray.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgrsx.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgcsrvx.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10Identity ProtectionAgentBinAVGIDSAgent.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10Identity ProtectionAgentBinAVGIDSMonitor.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG10avgnsx.exe

DeviceHarddiskVolume1Arquivos

de programasAlwil SoftwareAvast5AvastUI.exe

DeviceHarddiskVolume1Arquivos

de programasAlwil SoftwareAvast5AvastSvc.exe

DeviceHarddiskVolume1Arquivos

de programasAviraAntiVir Desktopavscan.exe

DeviceHarddiskVolume1Arquivos

de programasAVGAVG8avgupd.exe

DeviceHarddiskVolume1Arquivos

de programasAlwil SoftwareAvast4VisthUpd.exe

DeviceHarddiskVolume1Arquivos

de programasAviraAntiVir Desktopavupgsvc.exe

DeviceHarddiskVolume1Arquivos

de programasAlwil SoftwareAvast5AvastUI.exe

DeviceHarddiskVolume1Arquivos

de programasESETESET NOD32 Antivirusupdater.dll

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbpsv.exe

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbiehcef.dll

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbieh.gmd

DeviceHarddiskVolume1Arquivos

de programasGbPlugincef.gpc

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbieh.dll

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbpdist.dll

DeviceHarddiskVolume1Arquivos

de programasGbPluginbb.gpc

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbpkm.sys

DeviceHarddiskVolume1WINDOWSsystem32scpsssh2.dll

DeviceHarddiskVolume1WINDOWSsystem32driversgbpkm.sys

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesscpsssh2.inf

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesabn.gpc

DeviceHarddiskVolume1WINDOWSDownloaded

Program Fileserma.inf

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesgbieh.gmd

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesgbiehabn.dll

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesgbiehuni.dll

DeviceHarddiskVolume1WINDOWSDownloaded

Program FilesGbPluginABN.inf

DeviceHarddiskVolume1WINDOWSDownloaded

Program FilesGbPluginuni.inf

DeviceHarddiskVolume1WINDOWSDownloaded

Program Filesuni.gpc

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbiehuni.dll

DeviceHarddiskVolume1Arquivos

de programasGbPluginuni.gpc

DeviceHarddiskVolume1Arquivos

de programasScpadscpIBCfg.bin

DeviceHarddiskVolume1Arquivos

de programasScpadscpMIB.dll

DeviceHarddiskVolume1Arquivos

de programasScpadscpsssh2.dll

DeviceHarddiskVolume1Arquivos

de programasScpadsshib.dll

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbiehscd.dll

DeviceHarddiskVolume1Arquivos

de programasGbPlugingbpdist.dll

DeviceHarddiskVolume1Arquivos

de programasGbPluginscd.gpc

DeviceHarddiskVolume1Arquivos

de programasGbPluginGbpSv.exe

Steal financial information from 9 Brazilian and 2 International

Banks!

Banks! Steal Microsoft Live Messenger credentials.

Steal digital certificates used by eTokens in the system.

Steal information about the CPU, Volume hard drive number, PC

name and so on (this information is being used by some Latin American

banks during login sessions to the bank in order to authenticate

customers)

name and so on (this information is being used by some Latin American banks during login sessions to the bank in order to authenticate customers) Exfiltrate stolen data in two ways: via email to a

cybercriminal’s Gmail account and via special php inserting data to a

remote database.

cybercriminal’s Gmail account and via special php inserting data to a remote database. Finally, the malicious samples are protected by a legitimate

anti-piracy software called The

Enigma Protector. The criminals used it in order to make harder

reverse engineering process for the analysts.

All samples are detected by KAV as:

Trojan-Downloader.Win32.Murlo.lib

Trojan-PSW.Win32.MSNer.a

Trojan-Banker.Win32.Banz.iok

Trojan-Banker.Win32.Banker.blpm

Trojan-Downloader.Win32.Homa.fgx

Trojan-Banker.Win32.Banker.blbt

I also hope all malicious links will be deactivated by Amazon soon as well. I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud.

As of yesterday (June 6), all malicious links have been taken down by Amazon Web Services and are no longer active.

Brazilian cyber criminals intentionally launched the attack on Friday night. They know that usually it takes more time to detect and neutralize threats launched during the weekend. The same technique has been widely used by phishers for a while.

In order to avoid falling victim to these kinds of attacks, Web users should pay special attention to any suspicious issue during the weekend.

The AWS Security team has a special Web page to report these security incidents: http://aws.amazon.com/security/vulnerability-reporting/