Threat actors are using Amazon and Microsoft’s public cloud services in their harmful operations to deploy commodity remote access trojans (RATs) like Nanocore, Netwire, and AsyncRAT to steal sensitive data from victims computers. Researchers from Cisco Talos claimed in a study that the spear-phishing attacks have predominantly targeted companies in the United States, Canada, Italy, and Singapore.
Employing existing infrastructure to support invasions is becoming more common. It eliminates the need for attackers to run their servers, not to mention using it as a cloaking device to avoid detection by security solutions. Collaboration and communication applications such as Discord, Slack, and Telegram have recently made their way into many an infection chain to takeover and exfiltrate data from victim devices. In this sense, cloud platform abuse is a tactical extension that attackers may exploit as the first step into a wide range of networks.
According to Nick Biasini, head of outreach at Cisco Talos, this specific effort has numerous fascinating features. It speaks to some of the things often seen used and misused by bad actors, from the exploitation of dynamic DNS for command-and-control (C2) operations through the use of cloud infrastructure to host malware. Furthermore, the layers of obfuscation reflect the present level of criminal cyber operations. It takes a lot of analysis to get down to the attack’s final payload and goals.
It all begins with an invoice-themed phishing email having a ZIP file attachment that, when opened, initiates an attack sequence that downloads next-stage payloads hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, culminating in the deployment of various RATs such as AsyncRAT, Nanocore, and Netwire. Employing DuckDNS, a free dynamic DNS service, for generating malicious subdomains to transmit malware is also interesting. Some of the actor-controlled malicious subdomains are resolving to the download server on Azure Cloud and other servers serving as C2 for RAT payloads.
“Malicious actors are opportunistic and will always be looking for new and inventive ways to both host malware and infect victims,” according to Biasini. “The abuse of platforms such as Slack and Discord as well as the related cloud abuse are part of this pattern. We also commonly find compromised websites being used to host malware and other infrastructure as well and again points to the fact that these adversaries will use any and all means to compromise victims.”