Posted: January 29, 2014 by

Last updated:

Neutrino delivers fake Flash Player that retrieves malware on SkyDrive.

As cloud computing becomes more popular, malware authors are also taking interest in using this technology to store their own files—except, of course, their files are usually bad.

SkyDrive (recently renamed to OneDrive) is Microsoft’s cloud storage solution, and competes directly with other big-name storage products like Google Drive and Dropbox, all of which provide a convenient solution to accessing your files from virtually any location with internet access.

Recently, I found a downloader collected from our honeypot that appears as a fake Flash Player installer. These type of programs usually deliver malware and are very successful at making people believe they’re installing or updating the real Flash Player.

This particular downloader file currently is detected by 9/50 vendors on Virustotal. Malwarebytes Anti-Malware detects it as Trojan.Agent.AI.

The downloader binary was a payload from the Neutrino Exploit Kit and delivered via a Java exploit. The following URLs are involved:

http://telahzae.kranted.com:8000/hyngtxtu?fyqkxhhmvx=6621548

http://telahzae.kranted.com:8000/kkynrjtkyr.js

http://telahzae.kranted.com:8000/bxdlynvfooebbb

http://telahzae.kranted.com:8000/txsbjk

http://telahzae.kranted.com:8000/dyjumuf?iiqiqdlduj=nmnpvqjhi

http://telahzae.kranted.com:8000/zmezvehuhuwppm?inwpzqvsyla=nmnpvqjhi

The first request is for a script, one that is nearly identical to that seen in a blog earlier this month by fellow researcher Jerome Segura. The delivery method is the same as described in that blog, so it won’t be discussed again here.

When the file runs, it beacons out to the SkyDrive URL and presents a dialog that states it’s installing Flash Player, and then says “Installation Finished!” if everything goes well.

Here is the beacon the downloader makes to SkyDrive:

The first request sets up a secure connection over SSL and then redirects to the download location as seen in the capture below.

The file retrieved is called “flashplayer2.exe”. This file is executed and the downloader is deleted.

I visited the download server multiple times and managed to get different samples, each with their own icon (including a creepy skull). Meaning the samples stored on the SkyDrive folder are constantly being updated.

All of these samples are AutoIt standalone executables with UPX compression. AutoIt is a scripting language, with scripts capable of being converted to EXEs much like perl or python.

To be fair to Microsoft, this isn’t the only instance where cloud storage was used for bad things.

Last November, we reported on a malicious script that was hosted on Google Drive, and similar things have happened with Dropbox. Regardless, it appears more security measures need to be into place to prevent various malicious files and programs from being uploaded to cloud storage services.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. @joshcannell