A recently discovered attack campaign uses public cloud infrastructure to deliver variants of commodity RATs Nanocore, Netwire, and AsyncRATs to target users’ data, researchers report.
This campaign, detected in October, underscores how attackers are increasing their use of cloud technologies to achieve their goals without having to host their own infrastructure, report the Cisco Talos researchers who observed it. It’s the latest example of adversaries using cloud services, such as Microsoft Azure and Amazon Web Services, to launch their attacks.
“These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments,” researchers wrote in a blog post. The strategy has another benefit, they added: “It also makes it more difficult for defenders to track down the attackers’ operations.”
Most victims in this case are in the United States, Italy, and Singapore, Cisco Secure product telemetry indicates. The remote administration tools (RATs) they’re targeted with are built with multiple features to take control of an environment, remotely execute commands, and steal the target’s information.
The unknown attackers behind this campaign use four levels of obfuscation for the downloader. Each stage of the deobfuscation process leads to decryption methods for the following stages, which ultimately lead to the download of the final payload. When the initial script is executed on a target machine, it connects to a download server that downloads the next stage, which can be hosted on an Azure-based Windows server or an AWS EC2 instance, researchers said.
To deliver the malware, the attackers registered multiple malicious subdomains using DuckDNS, a free dynamic DNS service that allows a user to create subdomains and maintain the records using the DuckDNS scripts. Some of the malicious subdomains resolve to the download server on Azure Cloud; others resolve to the servers operated as command-and-control (C2) for RATs.
“It’s just a great example of the challenges enterprises face: malicious email, using an obscure attachment and multiple layers of obfuscation to deliver some sort of remote access capability,” says Nick Biasini, head of outreach at Talos. “This is what enterprises are facing today, and this is an example of many of the techniques we commonly observed in one single campaign.”
The payloads seen in this attack are commodity RATs commonly used in other campaigns. One of these is Nanocore, an executable first spotted in the wild in 2013. Another is NetwireRAT, a known threat that is used to steal passwords, login credentials, and credit card data. It is able to remotely execute commands and collect file system information.
AsyncRAT, the third payload, is designed to remotely monitor and control target machines via encrypted connections. In this campaign, attackers use the AsyncRAT client by configuring it to connect to the C2 server and give them remote access to a victim’s device. They can then steal data using some of its features, which include a keylogger, screen recorded, and system configuration manager.
Biasini says a victim will typically receive a single payload; however, Talos researchers have seen cases in which multiple RATs or other payloads are dropped onto a target system.
A Stronger Focus on Cloud
Researchers often see attackers abuse public cloud infrastructure, Biasini says. Part of the reason is attackers are opportunistic — they’ll use any platform that can to help them achieve their goals. Azure and AWS are both major cloud platforms, so it’s unsurprising that attackers would look to these, as well as a variety of other cloud providers, to use in their campaigns.
The growth in their use of public cloud also points to another trend of access being a primary goal, he adds.
“Ransomware cartels and associated affiliates are making huge sums of money ransoming their victims, [and] this type of remote access can and is sold to these groups,” Biasini explains. “Not all malicious actors want to operate in that space, but with the money to be made, it’s financially advantageous to just sell the initial access to one of these groups.”
Attackers aren’t only abusing cloud infrastructure. New research shows two-thirds of all malware spread to enterprise networks last year originated in cloud apps, including Google Drive and OneDrive. Today’s organizations are more likely to be hit with malware downloads from cloud applications than from any other source — a shift experts attribute to the convenience and cost that benefit attackers.
Cisco Talos researchers advised organizations to inspect their outgoing connections to cloud services for malicious traffic. Defenders should also monitor traffic to their business and implement rules around the script execution policies for their endpoints, they noted.