Cisco Talos discovers a new malware campaign using the public cloud to hide its tracks
January 12, 2022
303         0

The campaign was first detected in October and is using services like AWS and Azure to hide its tracks and evade detection.


Image: Shutterstock/Profit_Image

Talos, Cisco’s cybersecurity research arm, reports it has detected a new malware campaign that is using public cloud infrastructure to host and deliver variants of three remote access trojans (RATs) while maintaining enough agility to avoid detection.

The campaign, which Talos said began in late October 2021, has been seen primarily targeting the United States, Canada, Italy and Singapore, with Spain and South Korea also being popular targets for this latest attack. 

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Public cloud services like AWS and Microsoft Azure were both cited by Talos as having played host to the malware, and the attackers also used some serious obfuscation in their downloader. These attacks are evidence that threat actors are actively using cloud services as part of the latest form of attack, and that means trouble for vulnerable organizations.

How to host your malware in the cloud

The attacks that Talos detected involve variants of three RATs: Nanocore, Netwire and AsyncRAT, each of which is commercially available (also known as a commodity RAT). Each of the tools, Talos said, was being deployed with the goal of stealing user information.

Infections caused as a part of the campaigns that Talos discovered are coming via phishing emails that contain malicious ZIP files that contain either a Javascript, Windows batch file or Visual Basic script. That file, in turn, downloads the actual malware from an Azure Windows server or AWS EC2 instance. 

In order to deliver the malware, the attackers used the free dynamic DNS (DDNS) service DuckDNS to redirect traffic. DDNS allows site owners to register a URL to a non-static IP address. In combination with using web services to host malware, DDNS makes it much harder to identify where the attack is coming from. 

The attackers further hide their intent with four different layers of obfuscation. Talos says the JavaScript version of the downloader is using four different functions to decrypt itself, and nested inside each encrypted layer is the method by which it is further decrypted.

Decryption begins with the ejv() function, which is normally used for validating JSON files. Once it does the first layer of decryption, evj() hands code with one layer of encryption removed that has to be further decrypted using the Ox$() general purpose library. At layer three, the decryption process uses “another obfuscated function which has multiple function calls returning values and a series of eval() functions,” Talos said. Those eval() calls in turn use Ox$() to decrypt it yet again.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Lastly, obfuscation layer four uses the third-level function and some of its own self-decryption logic to decrypt the dropper and download the malware. Along with downloading it, layer four also adds a registry key to establish persistence, configures scheduled tasks for itself, attempts to mess with the alternate data stream attribute of NTFS files to hide its source, and fingerprints the machine.

How to avoid cloud-based malware

As is the case with many attacks, this one is complicated beneath the surface, but it still relies on human error to get its foot in the door. That said, the normal recommendations of “train your staff and install good security software” apply. 

Talos adds that organizations should monitor their inbound and outbound traffic to ensure they’re not letting suspicious traffic pass by, restrict script execution at endpoints, and ensure you have a solid, reliable email filtering service in place. 

Also see

subscribe for YouMedia Newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

subscribe for YouMedia Newsletter