CloudFanta Malware Bypasses Virtual Keyboard Security, Steals Banking Credentials

November 2, 2016 | By admin
1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, 5.00 / 5

A new malware is suspected to have stolen more than 26,000 worth of email credentials. Dubbed CloudFanta, the malware has been targeting users mostly in Brazil till now. It has also been sending emails from the victims email ID and also monitoring their online banking activities.

cloudfanta malware


The cyber criminals who have unleashed CloudFanta had initiated the attack typically through spearphishing emails. Victims were tempted to open an attachment or click on a link which initiated the malware infection. The unique factor in this attack is that the malware uses the SugarSync cloud storage app for delivering a downloader file. SugarSync is a cloud-based service that allows active synchronization of files across devices. The downloader is a “.jar” ( a Java Archive) file that downloads Dynamic Linked Library (DLL) files having a “.png” extension. The downloader too uses the SugarSync cloud storage app. These files are renamed with a “.twerk” extension and then used for malicious activities – stealing email credentials, sending emails and monitoring banking transactions.

SugarSync had been used for hosting the drive-by-download files. The malware had also been undetectable by typical Cloud Antivirus solutions as it had used SSL/HTTPS for communicating with the SugarSync service. In these attacks, the perpetrators also used Dropbox for hosting the malware.

This attack portrays effective use of cloud-based services for malware attacks. The Banking Trojan – Admin.twerk had been used in this attack, and the victims were users who visited the websites of the following banks in Brazil : Caixa, Banco Bradesco, Banco do Brasil,, and Sicredi.

How the CloudFanta malware works?

The Admin.twerk trojan gained complete administrative privileges by disabling the User Account Control of the infected machine. The malware searched the victims’s machine for email addresses and passwords.

When a user enters the login credentials, the malware redirects the sign-in page to a phishing sign-in page, where the data gets stolen and transferred. The webpage then reverts back to the original/genuine/sign-in webpage.

Virtual Keyboard Security Bypassed

The CloudFanta also bypasses the virtual keyboard security feature used in banking websites. Every single mouse click gets stored as snapshots, and the cyber criminals would be able to find out the password from the mouse clicks.

Cyber security experts foresee a drastic increase in cloud malware campaigns, as more enterprises adopt cloud apps to expand their businesses.

Preventive Measures to Protect Cloud Apps

  • Install Cloud Antivirus security solutions to address malware in cloud services
  • Always keep the operating systems and Cloud Antivirus solutions updated
  • Utilize a patch management system
  • Track usage of cloud services
  • Ensure regular backup of content in the cloud
  • Make two-factor authentication mandatory for accessing email and banking accounts
  • Educate users on internet security and safe internet practices. Instruct users on not to open attachments from unknown sources or click on links in mails from doubtful sources.

comodo antivirus

comodo antivirus

Related Resources:

Website Backup


Spread the love

Add new comment

Your name

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comodo Complete Antivirus Icon
The World's Only Complete Antivirus for $29.99/yr

Protect Your PC Against All Threats
with Enterprise-Grade Technology
for Home.

Antivirus Software Download  DOWNLOAD FREE Get Protected for $29.99

Got more than 1 PC? Get 3 Licenses for $39.99