Capitalinstall malware targets healthcare, Microsoft Azure delivers payload

Capital install malware

Cloud storage providers provide virus and malware scanning, but it is not sufficient to assume that cloud files are not malicious.

Malicious actors use creative means to serve malware payloads via Microsoft Azure, according to a security firm Netskope report on Tuesday. These payloads infect targets in the safety – conscious healthcare sector, as IT administrators implicitly trust Azure’s IP address blocks for services used by their organization or products supplied by a third – party vendor using Azure, the report found.

Consider the following scenario: a user downloads and shares a file hosted on Azure to other employees by uploading it to a cloud – based file storage service. Although Microsoft provides Azure with a free anti – malware service, the user must enable this. Of course, if an Azure user uses the platform to propagate malware, they will have this service disabled.

The malware identified by Netskope, which it calls ” Capitalinstall ” and installs the ” Linkury ” adware package, is currently hosted on Azure, linked to the malware provided in the report. It is unclear whether Netskope contacted Microsoft about the existence of this malware hosted on Azure.)

A Netskope customer had several CapitalInstall-infected machines from a website claiming to provide keys or licenses to popular software. The strain was designated as a crack for Adobe’s creative cloud. Curiously, the payload is an executable file packaged within an ISO file that Netskope notes is “uncommon for traditional Adware-related families.

“From there, the victim is presented with a page to install a myriad of browser add–on’s, cryptocurrency miners and other software.

How can I in my organization prevent this problem?

The easiest and most obvious step to prevent this malware is to prevent users from downloading software license cracks from obviously shady websites offering such solutions. Secondly, the inherent trust of cloud service providers is unwise, because any arbitrary user can upload anything to cloud file storage services like any other part of the public Internet. Likewise, access controls that prevent end users from installing software on company workstations or using anti – malware software are effective measures to reduce the potential damage caused by these infections.

Big takeaways for technology leaders:

  • Malicious actors use creative means to serve payloads of malware via Microsoft Azure.
  • As with any other part of the public Internet, any arbitrary user can upload anything to cloud file storage services, the inherent trust of cloud service providers is unwise.
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.