![\"Cybercriminals](\"https:\/\/veritis.com\/wp-content\/uploads\/2022\/01\/cybercriminals-exploit-aws-azure-clouds-to-distribute-remote-access-trojans.jpg\" "\\"Cybercriminals")
<\/p>\n<\/p>\n
In a shocking turn of events, threat intelligence firm Cisco Talos discovered that malicious actors are increasingly exploiting public cloud technologies<\/a> to deliver remote access trojans (RATs). They are achieving their notorious objectives without going through the endeavor of hosting their own infrastructure.<\/p>\n According to Cisco Talos, the threat actors are exploiting cloud services<\/a> like AWS and Azure to develop their infrastructure and connect to the internet with minimal time and cost.<\/p>\n The cybercriminal, in this case, leveraged cloud platforms to deploy and deliver variants of commodity RATs, including Nanocore, Netwire and AsyncRAT, starting from October 2021. These malware variants are ingrained with malicious features capable of taking control over the victim\u2019s system to remotely execute arbitrary commands and pilfer the victim’s data.<\/p>\n Also Read: AWS Vs Azure Vs GCP \u2013 The Cloud Platform of Your Choice?<\/a><\/strong><\/p>\n In the observed malicious campaign, the infection chain was started with phishing emails that contained malicious ZIP attachments.<\/p>\n \u201cThese ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file, or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance,\u201d explained Cisco Talos.<\/p><\/blockquote>\n Some of the malicious ZIP file names observed in the campaign are:<\/strong><\/p>\n The researchers discovered that the perpetrator registered several dubious subdomains using DuckDNS to deliver the malware payload. DuckDNS is an open-source dynamic DNS service that offers public DNS server services.<\/p>\n \u201cSome of the actor-controlled malicious subdomains resolve to the download server on Azure Cloud<\/a> while others resolve to the servers operated as C2 for the remote access trojan payloads,\u201d said the researchers.<\/p><\/blockquote>\n Some of the malicious subdomains identified by Cisco Talos are:<\/strong><\/p>\n \u201cThe fact that the hackers are constantly modifying their C2 centers with DuckDNS just shows how \u2018by any means necessary\u2019 the hackers are willing to operate,\u201d said Garret Grajek, CEO at YouAttest. “The attacks like this one show a team effort in scanning, exploiting, obfuscation, and then finally exfiltration.”<\/p><\/blockquote>\n Moreover, the downloader JavaScript used in the phishing campaign leveraged four layers of obfuscation.<\/p>\n \u201cEach stage of the de-obfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The de-obfuscation process is performed at each stage with every next stage generated as the result of the previous stage de-obfuscation function.\u201d<\/p><\/blockquote>\n In addition to the JavaScript loader trojan, the campaign also used a batch file downloader trojan and a VBScript downloader trojan and PowerShell dropper scripts.<\/p>\n The researchers also discovered another alarming fact that the malicious actor maintained a distributed infrastructure featuring download servers, command and control servers, and malicious subdomains. Furthermore, they hosted the downloading servers on AWS and Azure cloud services<\/a>.<\/p>\n Also Read: Hugging Face Launches Open Computer Agent AI Tool for Automated Tasks<\/a><\/strong><\/p>\n The Cisco researchers noted that exploiting cloud services to host the payloads is a sophisticated effort to avoid the radar while cutting down costs as they don\u2019t need to deploy their own infrastructure. \u201cIt also makes it more difficult for defenders to track down the attackers’ operations,\u201d mentioned Cisco Talos.<\/p>\n \u201cThreat actors use well-known cloud services in their campaigns because the public passively trusts big companies to be secure,\u201d said Davis McCarthy, a security researcher at Valtix. “Network defenders may think communications to an IP address owned by Amazon or Microsoft is benign because those communications occur so frequently across a myriad of services.”<\/p><\/blockquote>\n As the cybercriminals behind the said campaign are using dynamic DNS that doesn\u2019t have a static IP address, developing an inventory of known cloud services<\/a> and their network communication behaviors is imperative to fend off these campaigns. Businesses must set up comprehensive multi-layered security controls to identify and defend similar threats.<\/p>\n They must monitor their organizational traffic and set stringent rules around the script execution policies on their network endpoints. Moreover, organizations must double down on their email security to identify and prevent malicious emails and ax the infection at the early stage.<\/p>\n More Articles:<\/strong><\/p>\n
\n
\nHow threat actors organized the savvy malicious campaign?<\/h2>\n
![\"Infection](\"https:\/\/veritis.com\/wp-content\/uploads\/2022\/01\/infection-flow-diagram.jpg\" "\\"Infection")
<\/p>\n\n
![\"Phishing](\"https:\/\/veritis.com\/wp-content\/uploads\/2022\/01\/phishing-email-example.jpg\" "\\"Phishing")
<\/p>\n\n
\n
\nHackers at an advantage<\/h3>\n
How can businesses prevent these attacks?<\/h3>\n
![\"Contact](\"https:\/\/www.veritis.com\/wp-content\/uploads\/2018\/07\/contact-us.png\")
<\/a><\/p>\n
\n\n