Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

Threat Hunting for CloudFanta

Home » Blog » Threat Hunting for CloudFanta

 Posted in Cyber Threat

Threat Hunting for CloudFanta

   5th October 2024  Leave a Comment on Threat Hunting for CloudFanta 0 28

Author: Rohit D Sadgune / Amruta Sadgune

FAQ:-

  1. What is CloudFanta
  2. Data/Log sources details
  3. Threat hunting for cloudfanta
  4. Malware Analysis of cloudfanta

How CloudFanta Malware Works.

The CloudFanta attack is a cyber campaign that primarily uses cloud storage platforms, like Google Drive, to deliver malware to its victims. The CloudFanta malware avoids detection by security devices like firewalls and intrusion detection systems (IDS) by downloading DLL files disguised with the “.PNG” extension, tricking systems into treating them as image files. It communicates using SSL/HTTPS, which encrypts the traffic and prevents monitoring tools from inspecting the contents. After the DLL files are downloaded, the malware renames them using the system’s hostname and affix the “.TWERK” extension. This technique helps CloudFanta evade traditional security controls.

Key log sources to detect cloudfanta attack

To detect a CloudFanta attack, you need to collect and analyze logs from various sources that reflect user activity, network traffic, and file access. Here are the key log sources you should focus on:

1. Email Logs

Purpose: Track phishing emails that could contain malicious links or attachments.

Relevant Information: Sender details, subject lines, and attachment names. Links to external cloud storage services (e.g., Google Drive).

Detection Focus: Identifying phishing attempts that lead to malware downloads.

2. Cloud Service Logs (e.g., Google Drive, OneDrive)

Purpose: Monitor cloud storage activity where CloudFanta hosts its malware payloads.

Relevant Information:File upload/download activities. Sharing permissions and unusual access patterns.

Detection Focus: Downloads of suspicious files or access to shared files from unexpected locations.

3. DNS Logs

Purpose: Identify domain lookups and queries related to CloudFanta’s C2 infrastructure or phishing domains.

Relevant Information: DNS queries to unusual or suspicious domains, including Google Drive or unknown C2 domains.Detection Focus: Outbound connections to malicious domains.

4. Web Proxy Logs

Purpose: Track user web activity to detect visits to malicious sites or cloud-hosted malware.

Relevant Information: URLs visited, HTTP/HTTPS requests, and web content types.

Detection Focus: Web-based downloads of malware files from cloud services.

5. Endpoint Detection and Response (EDR) Logs

Purpose: Monitor system processes and detect abnormal file executions.

Relevant Information: File executions, process creation, and behavior monitoring (e.g., credential dumping, browser monitoring).

Detection Focus: Malicious executables and system process anomalies.

6. Authentication Logs (Access Logs)

Purpose: Monitor user authentication activity, especially for abnormal login behavior.

Relevant Information: Failed or successful logins from unusual locations or IP addresses. Simultaneous logins from multiple locations.

Detection Focus: Credential access or theft.

7. Network Traffic Logs (Firewall/IDS/IPS)

Purpose: Track outbound and inbound traffic for unusual patterns or known malicious indicators.

Relevant Information: IP addresses, port numbers, and protocol types. Suspicious outbound connections over HTTPS.

Detection Focus: Connections to C2 servers or exfiltration attempts.

8. Browser Logs

Purpose: Monitor web browser activity for credential-stealing attempts.

Relevant Information: URLs visited, cookies generated, and browser extensions installed.

Detection Focus: Browser activity related to credential theft.

9. File Integrity Monitoring (FIM) Logs

Purpose: Track changes to critical files or executables.

Relevant Information: Unexpected modifications to files. Creation of suspicious files such as malware payloads.

Detection Focus: Detection of malware dropped or executed by CloudFanta. By integrating these log sources into a Security Information and Event Management (SIEM) solution or another centralized monitoring tool, you can set up rules to detect suspicious patterns and activities indicative of a CloudFanta attack.

Tactics, Techniques, and Procedures (TTPs) used by CloudFanta’s

How to do threat hunting for CloudFanta’s through logs

To detect CloudFanta through logs, you need to focus on identifying key Indicators of Compromise (IoCs) and unusual patterns associated with phishing, cloud service access, and credential theft. Here’s how to approach log analysis for detecting CloudFanta:

1. Email Traffic Analysis

Inspect Email Logs: Look for suspicious emails with subject lines that indicate invoices, software updates, or anything unexpected. CloudFanta is known to spread via phishing emails with malicious links leading to Google Drive.

Phishing Indicators: Focus on identifying common traits in CloudFanta emails, such as unexpected links or unusual sender domains. You can use tools like email filtering solutions to flag high-risk attachments and URLs.

Monitor email headers: Look for abnormal sender domains, unexpected attachments (such as .exe, .zip, or .rar files), or URL shorteners in the body.

Indicators in subject lines: Emails with subjects like “Invoice”, “Payment Due”, or “Urgent Update” can be flagged as potential phishing attempts.

Log example:

Source IP: [External Phishing Source]

Subject: “Invoice Payment Required”

Attachment: invoice.zip

Link: hxxps://drive.google.com/file/d/[malicious ID]

2. Network Logs (Outbound Traffic to Cloud Services)

Monitor outbound connections to cloud services: Check for unusual download requests from Google Drive, Dropbox, or OneDrive by unauthorized users or during off-hours.

Abnormal HTTPS traffic: CloudFanta uses HTTPS to communicate with its command-and-control servers, which makes the traffic look legitimate. Check for a sudden spike in HTTPS connections to uncommon domains or cloud services.

Log example:

Destination IP: X.251.X.174 (Google Drive)

Source IP: [Internal user IP]

URL: hxxps://drive.google.com/file/d/[malicious ID]

HTTP status: 200 OK

Download size: [File size in KB]

3. Browser Logs (Credential Stealing)

Unusual browser behavior: CloudFanta targets browser sessions and credentials, so inspect browser logs for failed login attempts or logins from unusual locations.

Suspicious cookie or extension usage: Look for the installation of unknown browser extensions or the generation of abnormal cookies.

Log example:

Event: Browser cookie creation

Browser: Chrome

Action: Suspicious cookie generated

URL: login.banksite.com (Banking login page)

4. Endpoint Logs (Malicious File Execution)

Detect abnormal process executions: CloudFanta malware may run as a background process once downloaded. Use endpoint logs to detect unknown processes or executables that originate from browser downloads or cloud-based storage.

Monitor file hash signatures: Use hashes of known CloudFanta files to scan for malicious executables. If a match is found, it should be flagged as suspicious.

Event: File execution

File name: invoice.pdf.exe

User: [Affected User]

5. DNS Logs (Command-and-Control Communication)

Track DNS queries for malicious domains: CloudFanta may communicate with its C2 servers using DNS. Inspect DNS logs for unusual requests to unfamiliar domains or cloud-based C2 infrastructure.

Log example:

Query: drive.google.com

Response: 142.X.36.X

Action: Allowed

6. Authentication and Access Logs (Abnormal Logins)

Monitor user login activities: Look for suspicious login patterns, such as multiple failed login attempts, logins from new geographic locations, or simultaneous logins from different IPs.

Log example:

User: [Affected user]

Source IP: [New location IP]

Action: Successful login to email service

7. Cloud Service Logs (File Access and Sharing)

Monitor file sharing activity: Check for the sharing of malicious files via cloud services. CloudFanta uses Google Drive for distributing malware, so monitoring file shares can help detect potential infections.

Look for unusual access to shared files: If a sensitive file was accessed unexpectedly or by unknown users, it could indicate a compromise.

Log example:

Event: File download from shared Google Drive

File: invoice_update.pdf

Source IP: [External IP]

By correlating these logs and looking for TTP’s related to CloudFanta’s behavior, such as phishing emails, unusual file downloads, credential theft attempts, and suspicious DNS queries, you can detect the presence of CloudFanta and mitigate its impact. Always update your IoCs & TTP database and use security tools like SIEM or NDR for real-time detection and response.

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack