A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs

Share this…

Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.

We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags. It resembled the way Google Drive was misused as a repository of stolen data, for instance.

The payloads we saw during our research—remote access tools (RATs)—are also notable. We found that after they were downloaded and executed, the RATs/backdoors would phone back to their respective command-and-control servers, which are resolvable via free DNS services. It’s not a novel technique, but our correlation of the indicators of compromise (IoCs) suggests that a potentially sustained, cybercriminal operation took advantage of this platform.

Autodesk® A360 (A360) is a “cloud-based workspace that centralizes, connects and organizes your team and project information across your desktop, the web, and mobile devices.” The suite includes Autodesk® A360 Drive and Autodesk® A360 Team services. A360 Drive provides online storage for collaboration. Anyone can create an account for free and given 5GB of space. The service is comparable to Google Drive or other online file-sharing hosting services. You can upload your documents via browser or desktop, share your documents/files, and invite people to view (or edit, depending on your restriction) your content.

All the cybercriminal needs to do is to create a free account, upload the malicious payload, and embed the URLs in the chosen entry vector—an MS Word file with a malicious macro, for instance. The payload can be accessed on the A360 Drive through accessing the URL api.autodesk[.]com directly and specifying the file identifier, like so: http[s]://api.autodesk[.]com/shared/<identifier>.

Correlating A360 Abuse to a Surge in a Plethora of Malware
Telemetry from our Smart Protection Network™ noted certain URLs (listed in our appendix) used the most in August 2017. A further look into the URLs revealed that these abused A360 URLs led to a plethora of malware.

For example, we saw an A360 Drive-hosted archive (Order_scan20170000971771010000#.zip, detected by Trend Micro as TSPY_ZBOT.YUYAZW) containing a similarly named executable (.EXE) file embedded with an obfuscated Visual Basic File. Deobfuscating it reveals a Zeus/Zbot KINS variant.

We also saw a set of files (JAVA_KRYPTIK.NPP) containing a Java ARchive (JAR) and an .EXE file. One of the JAR files (SHIPPING DOCUMENTS 01 2208201738382.zip) contains an executable file archive (BKDR_NETWIRE.DB) that, when deobfuscated, contain string references we construe to be a variant of the NETWIRE remote access tool with keylogging and SOCKS proxy capabilities.

Another JAR file we saw (JAVA_ADWIND.JEJPDY) is a variant of jRAT that connects to its C&C servers, which are free dynamic DNS services—duckdns[.]org and chickenkiller[.]com. jRAT, also known as Adwind, can retrieve and exfiltrate multifarious data including credentials, keystrokes, and multimedia files.

Figure 1: Code snapshot showing JAVA_ADWIND.JEJPDY’s C&C servers

We expanded our search in VirusTotal and found that several malicious files were hosted via A360 Drive since June 2017, which surged in August (also listed in our appendix). They are usually remote access tools, either obfuscated EXE files or Java archives. It appears these A360 Drive-hosted malware aren’t used in targeted attacks—at least not yet; we will continue to monitor this and see if it changes.

Coverage from our Smart Protection Network showed the malware’s global distribution, with the U.S., South Africa, France, Italy, Germany, Hong Kong, and U.K. the most affected.

Figure 2: Distribution of A360 Drive-hosted malware

Weaponizing A360 Drive Abuse
One particular document caught our interest: an Office DOC document called “AMMO REQUEST MOD Turkey.doc” (W2KM_DROPPR.XWD). We saw it uploaded to VirusTotal on August 24, from Romania, and our sensors also detected being distributed during the same period. The document was nothing special at first glance; it used a generic template for macro malware.

Figure 3: Sample attack chains related to A360 Drive abuse

Figure 4: W2KM_DROPPR.XWD asking users to click “Enable Content” that will, in turn, run the malicious macro

If the macro is enabled, it will read the whole document and search for a long string (marked red in the screenshot below). This string is usually found at the end of the DOC file in the overlay. The binary data in the document behind the string (marked in red) are XORed with short string (marked in green).

The decrypted payload is a malicious PowerShell script that will download a file from A360 Drive and execute it. The downloaded payload is a Visual Basic obfuscated executable file. Deobfuscating it reveals the Trojanized Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums.

The distribution of emails with this malicious payload seems to be concentrated in Eastern Europe. Croatia is the most affected country, followed by Germany, Greece, and Turkey.

Figure 5: Code strings searched by the malicious macro

Figure 6: Encrypted (left) and decrypted (right) payload at the end of document

Figure 7: An advertisement for the Remcos RAT

Remcos RAT made headlines earlier this February; it was peddled as a service in hacking forums as early as 2016, and we did see Remcos RAT being actively pushed. In mid-August, for instance, we saw Remcos RAT delivered via a malicious PowerPoint slideshow embedded with an exploit for CVE-2017-0199. It’s also worth noting that last March 2017, we found Remcos RAT on endpoints affected by the point-of-sale (PoS) malware MajikPOS. It was used as one of MajikPOS’s entry points to the endpoint.

Mitigation and Trend Micro Solutions
These threats demonstrate how PowerShell is abused to deliver malware them into the system, particularly after an unsuspecting user opens a malicious document. Securing the use of legitimate system administration tools like PowerShell helps mitigate threats and restrict them from being abused. Most specifically, end users can implement a secure email gateway that can look into the content of email entering the environment through custom sandboxing.  Trend Micro customers implementing InterScan Messaging, ScanMail Suite, and Hosted Email Security are also protected from these threats.

Cloud-based storage platforms are known for being abused, too, and its misuse often allows malicious artifacts into the workplace’s machines. This can be prevented by ensuring that web traffic is scanned within the enterprise by implementing secure web gateway solutions such as Trend Micro’s InterScan Web Security.

We’ve disclosed our findings to Autodesk and proactively worked with them in taking down the abused URLs and deploying additional countermeasures to prevent further abuse of A360 Drive. A list of the IoCs related to the aforementioned malware, as well as a list of related malicious files found on VirusTotal from June to August, 2017 is in this appendix.