Threat actors are using Amazon and Microsoft’s public cloud services into their harmful campaigns to deliver commodity remote access trojans (RATs) like Nanocore, Netwire, and AsyncRAT to syphon sensitive data from victim systems.
Researchers from Cisco Talos claimed in a study provided with The Hacker News that the spear-phishing assaults, which began in October 2021, have predominantly targeted companies in the United States, Canada, Italy, and Singapore.
Employing existing infrastructure to support invasions is becoming more common as it eliminates the need for attackers to run their own servers, not to mention using it as a cloaking device to avoid detection by security solutions.
Collaboration and communication applications such as Discord, Slack, and Telegram have recently found their way into many an infection chain to takeover and exfiltrate data from victim machines. In this light, cloud platform abuse is a tactical extension that attackers can utilise as a first step into a wide range of networks.
“There are several fascinating components to this particular effort, and it speaks to some of the things we regularly see utilised and misused by malicious actors,” said Cisco Talos’ head of outreach, Nick Biasini, in an email to The Hacker News.
“From the abuse of dynamic DNS for command-and-control (C2) activities to the use of cloud infrastructure to host malware. Furthermore, the layers of obfuscation reflect the current status of illegal cyber activities, in which it takes a lot of study to get down to the attack’s final payload and goals.”
It all starts with an invoice-themed phishing email containing a ZIP file attachment that, when opened, initiates an attack sequence that downloads next-stage payloads hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, culminating in the deployment of various RATs such as AsyncRAT, Nanocore, and Netwire.
The use of DuckDNS, a free dynamic DNS service, to generate malicious subdomains to deliver malware is also noteworthy, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud and other servers serving as C2 for RAT payloads.
“Malicious actors are opportunistic,” Biasini explained, “and will always be seeking for new and imaginative ways to both host malware and infect victims.” “This pattern includes the exploitation of platforms like Slack and Discord, as well as the related cloud abuse. We frequently see hijacked websites being used to host malware and other infrastructure, demonstrating that these adversaries will use any and all ways to obtain access to victims.”