Netskope uncovers a new family of IaaS adware

Read time 2min 10sec
CaptialInstall steals computing resources.
CaptialInstall steals computing resources.

Netskope Threat Research Labs has uncovered a family of adware dubbed CapitalInstall, that is delivered from Microsoft Azure Blob Storage, and whose IP range was whitelisted by multiple customers.

The malware was identified via telemetry that recently alerted the researchers on a high number of detections, related to multiple customers in the health and retail sector who had recently deployed Netskope Advanced Threat Protection.

In addition, the researchers identified similar strains of CapitalInstall across 20 customer instances that had been detected in the past.

"Since the malware masquerades as a commonly used enterprise software installer, the potential impact is much larger and not limited to any particular vertical," says Netskope.

CapitalInstall is linked to a family of potentially unwanted applications (PUPs) that victims might have inadvertently installed on their machines. It is delivered via drive-by-download links from a Web site that claims to provide keys and licences related to popular software.

However, once installed, a series of messages appear on the victim's computer, to lure them into downloading and installing several strains of adware from a service called 'Swiftviz[.]net'.

This particular malware family aims to generate revenue through ads related to Bitcoin mining and fake search engines, stealing compute resources and causing loss of productivity.

An IaaS world

According to Netskope, the onslaught of new technologies such as containers, serverless applications, and SaaS storage are now the new standards of the industry, with organisations building their entire infrastructure on IaaS providers, including Amazon AWS, Google Cloud, and Microsoft Azure.

"With a major shift of services towards cloud, the dynamics of threats have changed and they have started adapting to this new playground."

The research on CapitalInstall is a classic example of malware being hosted over IaaS for delivering the payload using placeholder Web sites, explains Netskope. "Organisations that do not have a multi-layered cloud-aware solution for threat detection are particularly vulnerable to attackers hosting malicious files in IaaS object stores."

To protect themselves, Netskope advises enterprises educate users on best practices and teach them to refrain from installs, downloads and accessing any Web site promoting cracks, keys, and licences of popular software.

"Enterprise administrators and users should also be educated on the implications of whitelisting IPs and sharing files across users," the researchers concluded.

Login with