Cybercriminals Used Amazon Cloud Services To Spread Financial Malware

Amazon takes down malicious links -- 60 hours after being alerted

A Kaspersky Lab researcher over the weekend alerted Amazon that cybercriminals were using its Amazon Web Services cloud offering to spread financial-stealing malware. The attackers apparently deployed registered accounts to wage the attacks on 11 international banks, nine of which are in Brazil.
Dmitry Bestuzhev, senior malware researcher at Kaspersky, says it took Amazon 60 hours to shut down the malicious links after he informed them of the activity on its cloud service. Cloud abuse is an emerging vector of attack for cybercriminals. I don’t believe classic botnets will be replaced totally or in a majority of the cases by malware in the cloud soon. However, [the] more cloud we’re going to use, [the] more attacks like this we’ll see. For now not much will change -- only C&C may slightly move to the commercial clouds, Bestuzhev says.
Bestuzhev says cloud providers need to better monitor their infrastructure and systems to catch attacks originating from their networks. He says Amazon, in theory, could have detected the abuse of its Web Services: However, before all malicious links were [taken] down, we had to wait around 60 hours. What should be done? To have more proactive monitoring and multiscanner checks of all links on AWS, and especially if it’s about binary files. Also, response time should be improved, he says.
The attackers appear to be out of Brazil, he says, and the main targets are Brazilian bank customers. They dropped a rootkit that detected and blocked four different antivirus programs, he says, as well as a security application used in Brazil for online banking called GBPluggin.
Other malware they spread was able to steal Microsoft Live Messenger credentials, digital certificates, and CPU and hard drive information. The attackers moved the stolen data over email to their Gmail accounts and to a remote database via a special PHP-inserting process.
They tried to cover their tracks by employing antipiracy software in their malware so that researchers would have trouble reverse-engineering the code, Bestuzhev says.
Kaspersky has identified and labeled the malware samples as Trojan-Downloader.Win32.Murlo.lib; Trojan-PSW.Win32.MSNer.a; Trojan-Banker.Win32.Banz.iok; Trojan-Banker.Win32.Banker.blpm; Trojan-Downloader.Win32.Homa.fgx; and Trojan-Banker.Win32.Banker.blbt.
I believe legitimate cloud services will continue to be used by criminals for different kinds of cyberattacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud, Bestuzhev said
in a blog post
that includes screen shots.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cybercriminals Used Amazon Cloud Services To Spread Financial Malware