Cloud malware – what is it, why does it exist and what can you do to prevent it?

If you track the lifecycle of malware as religiously as us, you would be able to see how it parallels changes in commercial technology.

The growing volume of malicious software reached dizzying proportions some time ago. Tens of millions of variants are now spat out by all manner of obfuscation and automation engines, however, what is more interesting, is how malware writers have capitalised on the move to the cloud.

What is cloud malware

If it is possible to broadly summarise the overall change, it would be that whereas once the game for malware writers was to install a payload on an endpoint – things are no longer that simple.

Instead, the accessibility and interconnectedness of modern cloud-based working environments mean that a single piece of cloud malware can travel far more easily around a target environment and cause more damage.

In essence, cloud applications are hijacked into becoming a transport mechanism for malicious code. Examples include Virlock, the shape-shifting ransomware which propagates using cloud storage apps or RanSerKD, which spreads using Dropbox and weaponised Word documents.

Cloud malware can also travel using applications with real technical elegance, for example pretending to be part of legitimate app-to-app data traffic.  In fact, the vast flows in cloud traffic around organisations are used by malware to do everything from hiding exfiltration to updating modular elements.

At the more advanced end of the scale, malicious software itself has even developed a cloud-based delivery model that many big companies would be proud of with fileless malware.  Here, an infection never even takes place on a target machine, dropping from the cloud before running briefly in memory and ghosting away sensitive IP without trace instead.

How to stop cloud malware from impacting your organisation

Despite being the more advanced end of malware, simple controls managed correctly and deployed in a layered way can help to prevent malicious code from entering and spreading through cloud environments.

First, ensure a solid web filtering regime is in place.  All malware relies on calling a command and control server at some point to exfiltrate data, update, receive instructions or just to check-in.

With an agent installed on your organisation’s web gateway, detecting and blocking these malicious calls will cut the malware off from its controller.  Operating this kind of technology will also prevent the user from visiting websites known to drop malicious programmes in the first place.

As this type of threat often operates inside popular cloud applications, it is also a good idea to employ a CASB solution to ensure some monitoring of user activity at a granular level inside the applications themselves.  This will allow security teams to receive alerts if suspicious activity is occurring, such as the downloading or sharing of sensitive IP.

The more advanced CASB solutions also apply specific anti-malware countermeasures which scan data for malicious programmes or even implement pattern matching and DLP techniques to identify and protect sensitive information.

Malware will continue to advance for as long as enterprises adopt new technology to be abused, so staying aware of the latest techniques is crucial.  A combination of security team and user awareness, alongside layered and integrated technology, provides the best possible chance of mitigation.

🍪 This website uses cookies to improve your web experience.