Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.
The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.
The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.
The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.
Searching for indicators of compromise is also difficult in such cases, as the affected environments might have a large number of access records made by non-malicious software, the security researchers say.
After the content of said JS snippet is fetched, a function is called to add to the end of the JS snippet a string containing “downAndExec” and two parameters representing the URL where the C&C is hosted, and “x-id” data, which is necessary to download other payloads.
The researchers also discovered that in addition to obfuscation, protection against sandboxing has been implemented as well. Thus, the malicious code isn’t executed if the JS snippet is analyzed separately. Moreover, the script performs a series of checks before executing malicious functions, to make sure that the target machine is of potential interest.
The malware checks for various files, after which it starts looking for folders associated with banking programs such as Bradesco, Itaú, Sicoob and Santander. The researchers suggest that this check is probably intended to prevent activation of malicious functions on computers that are not used for online banking.
Finally, the malware also checks whether the target computer is located in Brazil. This shows that the attack is targeted and might also be meant to avoid analysis. The snippet verifies that the customer IP is from a Brazilian AS (autonomous system).
Should the computer meet all conditions, the malware initiates communication with the C&C, which results in the final compromise being performed. In the analyzed incident, the malware downloaded three files, one of which is a banking Trojan.
“As we have seen, the downAndExec technique involves two download stages and several protections, either to identify machines matching the desired profile, or to distribute malicious code in ‘sterile’ sections, which on their own do not execute (in order to bypass online protections), but which, when joined with other pieces of malicious code, are capable of compromising a victim’s computers,” ESET concludes.