{"id":1319,"date":"2016-11-02T04:31:41","date_gmt":"2016-11-02T04:31:41","guid":{"rendered":"https:\/\/antivirus.comodo.com\/blog\/?p=1319"},"modified":"2025-04-08T19:05:04","modified_gmt":"2025-04-08T13:35:04","slug":"cloudfanta-malware-steals-banking-credentials","status":"publish","type":"post","link":"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/cloudfanta-malware-steals-banking-credentials\/","title":{"rendered":"CloudFanta Malware Bypasses Virtual Keyboard Security, Steals Banking Credentials"},"content":{"rendered":"

A new malware is suspected to have stolen more than 26,000 worth of email credentials. Dubbed CloudFanta, the malware has been targeting users mostly in Brazil till now. It has also been sending emails from the victims email ID and also monitoring their online banking activities.<\/p>\n

\"cloudfanta<\/p>\n

 <\/p>\n

The cyber criminals who have unleashed CloudFanta had initiated the attack typically through spearphishing emails. Victims were tempted to open an attachment or click on a link which initiated the malware infection. The unique factor in this attack is that the malware uses the SugarSync cloud storage app for delivering a downloader file. SugarSync is a cloud-based service that allows active synchronization of files across devices. The downloader is a “.jar” ( a Java Archive) file that downloads Dynamic Linked Library (DLL) files having a \u201c.png\u201d extension. The downloader too uses the SugarSync cloud storage app. These files are renamed with a \u201c.twerk\u201d extension and then used for malicious activities \u2013 stealing email credentials, sending emails and monitoring banking transactions.<\/p>\n

SugarSync had been used for hosting the drive-by-download files. The malware had also been undetectable by typical Cloud Antivirus<\/strong> solutions<\/strong><\/a> as it had used SSL<\/a>\/HTTPS for communicating with the SugarSync service. In these attacks, the perpetrators also used Dropbox for hosting the malware.<\/p>\n

This attack portrays effective use of cloud-based services for malware attacks. The Banking Trojan \u2013 Admin.twerk had been used in this attack, and the victims were users who visited the websites of the following banks in Brazil : Caixa, Banco Bradesco, Banco do Brasil, bb.com.br, and Sicredi.<\/p>\n

How the CloudFanta malware works?<\/strong><\/p>\n

The Admin.twerk trojan gained complete administrative privileges by disabling the User Account Control of the infected machine. The malware searched the victims’s machine for email addresses and passwords.<\/p>\n

When a user enters the login credentials, the malware redirects the sign-in page to a phishing sign-in page, where the data gets stolen and transferred. The webpage then reverts back to the original\/genuine\/sign-in webpage.<\/p>\n

Virtual Keyboard Security Bypassed<\/strong><\/p>\n

The CloudFanta also bypasses the virtual keyboard security feature used in banking websites. Every single mouse click gets stored as snapshots, and the cyber criminals would be able to find out the password from the mouse clicks. (Valium<\/a>) <\/p>\n

Cyber security<\/a> experts foresee a drastic increase in cloud malware campaigns, as more enterprises adopt cloud apps to expand their businesses.<\/p>\n

Preventive Measures to Protect Cloud Apps<\/strong><\/p>\n