Amazon, Azure Clouds Host RAT-ty Trio in Infostealing Campaign

A cloudy campaign delivers commodity remote-access trojans to steal information and execute code.

Cyberattackers are abusing Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), researchers warned – all aimed at hoovering up sensitive information from target users.

According to an analysis from Cisco Talos, threat actors have been pushing out variants of the malware known as AsyncRAT, Netwire and Nanocore since October, mainly to targets in Italy, Singapore and the United States. A few of the targets have been in South Korea and Spain as well, according to the firm.

As in many campaigns, the attacks start with a phishing email containing a malicious .ZIP attachment, researchers said. But the attackers have a cloud-based trick up their sleeve.

“These .ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script,” Talos researchers explained on Wednesday. “When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.”

Clouding the (Malicious) Issue

Using cloud services to host the payloads is a savvy effort to avoid detection while cutting the costs of the campaign, researchers noted, since they don’t have to set up their own infrastructure.

“These types of cloud services like Azure and AWS allow attackers to…connect to the internet with minimal time or monetary commitments,” according to the analysis. “It also makes it more difficult for defenders to track down the attackers’ operations.”

The actor behind this campaign maintains a distributed infrastructure consisting of download servers, command-and-control servers (C2s) and malicious subdomains, researchers noted. The downloading servers are the ones hosted on Microsoft Azure and AWS cloud services.

Beyond that, the main JavaScript downloader used in the campaign leverages a four-layer, complex obfuscation technique in its script: “Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method,” researchers explained. “The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function.”

The campaign uses a range of other dropper trojans as well, including a batch-file downloader and a VBScript downloader.

“The batch script contains an obfuscated command that runs PowerShell to download and run a payload from a download server…on Azure Cloud,” researchers said. “Obfuscated VB downloaders execute a PowerShell command which runs and connects to the download server…running on AWS EC2.”

And finally, to further cover their tracks, the attackers are using the DuckDNS dynamic DNS service to change the domain names of the C2  hosts. Talos found they have registered several malicious subdomains using the service.

RATs Swarm Their Victims

The RATs used in the campaign come in three flavors, all sporting multiple features to steal the victims’ information, according to the analysis:

  • AsyncRAT is used to remotely monitor and control computers through a secure encrypted connection to the C2 server. It also has features like a keylogger, screen recorder and a system-configuration manager, to allow the attacker to steal confidential data from the victim’s machine.
  • NetwireRAT is a known threat used by cyberattackers to steal victim’s passwords, login credentials and credit-card data. It also has the capability to remotely execute the commands and collects file-system information.
  • Nanocore is a 32-bit .NET portable executable – a commodity threat first seen in the wild in 2013. The version used in this campaign, which has a build date of Oct. 26, contains two plugins, called Client and SurveillanceEx. Client handles the communications with the C2 server; and SurveillanceEX captures video and audio, and monitors remote-desktop activity.

Detection Tip: Inspect Outgoing Cloud Connections

Threat actors are actively using cloud services in their malicious campaigns, Talos researchers warned, noting that to detect malicious activity, organizations should be inspecting outgoing connections to cloud-computing services.

“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets,” they concluded. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages, and break the infection chain as early as possible.”

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.


Back to top button