Bypassing protection measures by direct upload of malicious content to OneDrive/Office 365

9 August 2015

I am happy about every email with malicious content or attachment, in particular if I find the mail in my inbox. Sound’s strange, but it’s important to analyze the technology of the attackers to develop proper protection strategies.

Last Wednesday I spent an hour with the analysis of an obviously malicious email attachment. Outlook blocked the access to the attachment without any error message. Therefore I logged in to my outlook.com account and opened the email:

Malicious Mail in Outlook.com

Malicious Mail in Outlook.com

A click on Download as zip resulted in the following error message:

The file “Automatische Lastschrift konnte nicht vorgenommen werden 05.08.2015.zip” is infected with an unknown virus, so it isn’t safe to download.

Perfect! This explains the strange behavior of Outlook. But saving to OneDrive surprisingly works.

Malicious Mail Save to OneDrive

Malicious Mail Save to OneDrive

Some minutes later I uploaded the zip archive to VirusTotal and found, that the malware was already known with name Trojan:Win32/Bulta!rfn. For more details please see below.

When I extracted the nested zip-archive to my local hard disk the endpoint protection system correctly identified the program, blocked access and took the predefined action.

What happened? The attackers used a standard technology (malware in nested zip archives) to deliver their payload. The outlook client and outlook.com both blocked downloading the payload because they identified a suspicious attachment.

But all protection could be bypassed by uploading the file to OneDrive. When OneDrive or Office 365 is used as collaboration platform with suppliers and partners an attacker could easily use bypass to distribute malicious content across companies. In particular for zero day exploits this may become a serious problem.

For protection against the download of malicious content from Cloud Services we have to change our endpoint protection strategy. The anti-malware systems on the surf proxy will not recognize the malicious objects because the data stream is encrypted (https protocol used). Even if the surf proxy breaks SSL it is very likely that zero day exploits, and already known viruses, are not identified. The same holds for the endpoint protection systems on the end-users desktops.

But the first line of defense, the cloud provider, has the most important task. Bypassing protection by uploading malicious objects to the cloud storage is not acceptable. This strange behavior should be corrected as soon as possible. From the above we know that this is an easy task because the system already identified the attachment as malware.

Have a good week!


VirusTotal results: 2015-08-06 20:21:06 UTC

Detection rate: 23 / 55

AntiVirus Result Last Update
Avast Win32:Malware-gen 20150806
Microsoft Trojan:Win32/Bulta!rfn 20150806
Ikarus Trojan.Win32.Crypt 20150806
Arcabit Trojan.Mikey.D538C 20150806
DrWeb Trojan.Inject1.62743 20150806
TrendMicro TROJ_KR.2B7B2BF7 20150806
TrendMicro-HouseCall TROJ_KR.2B7B2BF7 20150806
Avira TR/Crypt.Xpack.248161 20150806
Rising PE:Trojan.Win32.Generic.18EBC66C!418104940 20150731
Sophos Mal/Generic-S 20150806
AVG Generic_r.FOY 20150806
Panda Generic Suspicious 20150806
Emsisoft Gen:Variant.Mikey.21388 (B) 20150806
Ad-Aware Gen:Variant.Mikey.21388 20150806
BitDefender Gen:Variant.Mikey.21388 20150806
F-Secure Gen:Variant.Mikey.21388 20150806
GData Gen:Variant.Mikey.21388 20150806
MicroWorld-eScan Gen:Variant.Mikey.21388 20150806
McAfee-GW-Edition BehavesLike.Ransom.lc 20150806
Kaspersky Backdoor.Win32.Androm.humu 20150806
Symantec Backdoor.Matsnu 20150806
McAfee Artemis!B65DB4920F67 20150806
ESET-NOD32 a variant of Win32/Kryptik.DSND 20150806
ALYac 20150806
AVware 20150806
AegisLab 20150806
Agnitum 20150806
AhnLab-V3 20150806
Alibaba 20150803
Antiy-AVL 20150806
Baidu-International 20150806
Bkav 20150806
ByteHero 20150806
CAT-QuickHeal 20150806
ClamAV 20150806
Comodo 20150806
Cyren 20150806
F-Prot 20150806
Fortinet 20150804
Jiangmin 20150804
K7AntiVirus 20150806
K7GW 20150806
Kingsoft 20150806
Malwarebytes 20150806
NANO-Antivirus 20150806
Qihoo-360 20150806
SUPERAntiSpyware 20150806
Tencent 20150806
TheHacker 20150805
VBA32 20150806
VIPRE 20150806
ViRobot 20150806
Zillya 20150806
Zoner 20150806
nProtect 20150806
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s