14 DAY TRIAL // A new CapitalInstall malware strain was detected while being distributed with the help of Microsoft Azure blob storage instances with IP addresses whitelisted by Azure users.
This new malware discovered by Netskope is used by attackers to drop the Linkury adware known to feature browser hijacking behavior and to target Windows machines.
Furthermore, the Linkury adware strain has been observed while performing search hijacks that lead to most users being presented with altered search results on infected systems.
Netskope found out during their analysis that the CapitalInstall was delivered on the targeted machines using "drive-by-download links from a website that claim to provide keys and licenses related to popular software."
The URLs used in the drive-by-download attacks have been connected to multiple TLDs that ended up downloading the Linkury adware binary from the intie[.]blob.core.windows.net Azure blob storage domain.
Netskope added that "Using Virustotal Passive DNS records for the domain intie[.]blob.core.windows.net and our clustering mechanism, we identified close to 2000 unique hashes downloaded from the domain, starting from April 2018."
CapitalInstall delivered using unconventional ISO package
One of the samples captured by Netskope was an Adobe CC 2019 crack delivered in the form of a .exe Windows binary packed within an ISO image file, a novel way of distributing adware on the Windows platform.
The next step in the CapitalInstall infection process is to display a web page that asks the users to download and install various unwanted software, ranging from browser add-ons to cryptocurrency miners.
The researchers conclude that the move company infrastructure to IaaS providers such as Amazon AWS, Microsoft Azure, and Google Cloud also changed malware behavior to match he new playing field.
Netskope concluded that "Organizations that do not have a multi-layered cloud-aware solution for threat detection are particularly vulnerable to attackers hosting malicious files in IaaS object stores."
