[German]Security experts at SophosLabs have discovered a new cyber attack using spyware. The malware has been christened Cloud Snooper, implants a rootkit and communicates across firewalls. The spyware was found in the Amazon cloud on a Linux server. The malware can also infect Windows systems.
The new attack method uses a previously unknown combination of hacking techniques to allow malware to communicate with its own command and control servers through firewalls, according to Sophos experts. The whole thing works on both Linux and Windows machines. Because of the sophisticated techniques, very professional hackers are behind the campaign, and the group may enjoy government support.
New combination of hacking techniques
Sophos discloses the details of Cloud Snooper in this report (PDF). The attack was discovered because someone detected an anomaly (unusually high traffic) on an Amazon Web Services (AWS) instance. While the AWS security groups (SGs) were set correctly and only allowed incoming HTTP or HTTPS traffic, the compromised Linux system was still set to accept incoming connections on ports 2080/TCP and 2053/TCP.
This was reason to investigate the whole thing. During this analysis of this system, a rootkit was then found which allowed the authors of the malware to remotely control the server via the AWS-SGs. However, the capabilities of this rootkit are not limited to running in the Amazon cloud: it could also be used to communicate with and remotely control malware on any server behind any firewall, even on a local server.
After analysis, additional Linux hosts infected with the same or a similar rootkit were identified. In a further step, SophosLabs experts identified a compromised Windows system with a backdoor. The system was communicating with a similar C2 server to other compromised Linux hosts. A very similar configuration format was used. The backdoor was apparently based on the source code of the infamous Gh0st-RAT malware.
Cloud Snooper Tools found
SophosLabs has found several files associated with the Cloud Snooper tools during its investigation of infected systems. The description starts with the Linux malware and then moves on to its Windows counterpart, which appears to be based on Gh0st RAT. A total of 10 examples were discovered and examined during the investigation. The following manipulated files were found:
Linux Malware, Group 1
- snd_floppy (MD5 a3f1e4b337ba1ed35cac3fab75cec369), 738.368 Bytes, ELF64, x86-64
- snd_floppy (MD5 6a1d21d3fd074520cb6a1fda76d163da), 738.368 Bytes, ELF64, x86-64
- snd_floppy (MD5 9cd93bb2a12cf4ef49ee1ba5bb0e4a95), 544.832 Bytes, ELF64, x86-64
- snoopy (MD5 c7a3fefb3c231ad3b683f00edd0e26e4), 305.309 Bytes, ELF64, x86-64
- vsftpd (MD5 15e96f0ee3abc9d5d2395c99aabc3b92), 60.456 Bytes, ELF64, x86-64
- ips (MD5 2b7d54251068a668c4fe8f988bfc3ab5), 35.580 Bytes, ELF64, x86-64
Linux Malware, Group 2 – Gh0st RAT
- snort (MD5 ecac141c99e8cef83389203b862b24fd), 64.412 Bytes, ELF64, x86-64
- javad (MD5 67c8235ac0861c8622ac2ddb1f5c4a18), 64.412 Bytes, ELF64, x86-64
- nood.bin (MD5 850bf958f07e6c33a496b39be18752f3), 66.000 Bytes, ELF64, x86-64
Windows Malware – Gh0st RAT
- NSIProvider.dll (MD5 a59c83285679296758bf8589277abde7), 219.648 Bytes, PE32, x86
- NSIProvider.dll.crt (MD5 76380fea8fb56d3bb3c329f193883edf), 516.097 Bytes, [encrypted]