Cracking the CLOUD Code

Cracking the CLOUD Code

The Biggest Data Breach of 2015!

CLOUD – a malware strain capable to affect not only individual computers or laptops, but also servers and company data stored on cloud storages. One of the infected targets was the crypto-currency exchange Poloniex that had to temporarily close its operation for few days in February 2015. In may 2015 Open DNS (a US based internet infrastructure provider) announced that they have been hit by CLOUD virus as well.

  • Another victim is the Czech news portal that stated last week that their site was hacked due to third party software vulnerability detected on one of their pages, which allowed hackers to infect all visitors with malware designed specifically for stealing logins and passwords from large corporations like Facebook, Twitter, Google, Amazon and LinkedIn.
  • CLOUD virus is a sophisticated strain of malware which includes a variety of modules allowing cyber criminals to deploy versatile malicious applications capable to steal from victims private data stored both on-line and offline.
  • According to recent reports CLOUD Computing has been updated several times since July 2014 by its authors. This explains the reason why it managed to infect such a large number of computers despite the fact that its existence was revealed only in February 2015.
  • Even now after few months following exposure CLOUD continues to spread throughout the Internet at an unprecedented level infecting new users every day, thus turning into one of the largest security challenges for internet community during 2015.

According to Cisco examination conducted in May 2015 CLOUD originated as a targeted attack against a specific company using spear phishing emails. Initial infection was performed by exploiting zero-day vulnerability detected in Adobe Flash Player (CVE-2015-3043). According to Cisco, the initial infection vector is still unknown, but most likely spear phishing email stored on cloud storage and delivered to specific targets.

CLOUD Malware Modules

Since its first appearance CLOUD has been improved and updated several times and currently includes the following malware modules:

Boot kit

Used for preventing computer system from booting up; it works even if hard drive is reformatted;

File system filter driver

Intercepts file open/save requests and sends malicious files to attacker’s server; default location for such files is user’s Appdata folder;

Keystroke logger

Captures keystrokes and sends them to attacker’s server using either HTTP or HTTPS protocols;

Sniffer for passwords and sensitive information

Steals logins and passwords from browsers and popular web-based applications including Gmail, Yahoo, Facebook, Twitter, LinkedIn etc.; it is worth mentioning that these credentials are not stored on victims PC but sent to the attackers server just after stealing; Sniffer also implements several techniques allowing to capture data even if it’s encrypted (session hijacking);

VNC Module

Allows remote control over victim computer. It creates secure connection via HTTPS protocol to attacker controlled servers using RC4 cipher with 1024 bit RSA key. Very similar to this module is FTP module that works via port 443 using same encryption methods.

CLOUD malware(virus)

Another interesting feature of CLOUD virus is its ability to infect mobile devices including iPhones, Android phones and tablets. For this purpose cyber criminals use special software allowing them to forward all incoming calls from one infected smartphone to another device or landline number.

  • This way they initiate so-called “conference call” which allows remote attacker to listen in on conversation while original caller is unaware of it.
  • Despite the fact that Cisco researchers claim CLOUD malware has already infected up to 50 000 PCs worldwide, most security experts believe this figure is pretty overstated, comparing it with Flame virus scale infection rate (estimated at around 10 000 systems).
  • Anyway no matter how many computers are currently infected, it is certain that CLOUD virus continues to spread at an unprecedented rate through both legitimate and malicious file sharing networks.
  • Recently security experts from Symantec published interesting report about the viral activities conducted by one of the authors behind CLOUD.
  • They are currently hunting for his identity using code deployment process as a mean to track him down. The idea is based on the fact that only few people have access to the cloud servers where new versions of clod modules are constantly being uploaded.
  • This makes it possible for them to find out who has recently updated given malware module changing its name in order to evade AV detection after being uploaded.

Also Read: What are malware attacks & How to Beware of malware cybercrime


Despite the fact that CLOUD virus is not as sophisticated as Stuxnet for instance, it still constitutes one of the largest security challenges for internet community during 2015. Even though there are no known cases of data theft or other financial damage caused by CLOUD malware yet, its ability to target mobile devices and computers alike makes it potential troublemaker in terms of cyber security. The best way to protect yourself against CLOUD infection is preserving regular back-ups of your system on external hard drives which can be later used to restore affected files after removing an attack source.


Tech Today Trends

Shiva Ram is a SEO Copywriter, Content Creator and he is specialized in Digital Marketing. He had the interest to write content related to technology, Business, Apps, Digital Marketing and many more.

Leave a Reply