Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users’ information. According to Cisco, the victims of this campaign are primarily distributed across the United States, Italy and Singapore.

The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.

The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. Threat actors, Cisco says, are increasingly using cloud technologies to achieve their objectives without resorting to hosting their own infrastructure, allowing them to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track the attackers’ operations.

The threat actor, in this case, used cloud services to deploy and deliver variants of commodity RATs with the information-stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information.

The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in JavaScript, a Windows batch file or a Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, Cisco researchers found. 

To deliver the malware payload, the threat actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans. “The malware samples that have been observed in this campaign have a breadth of capabilities, including capturing video and audio, recording behavior on the screen, swiping login credentials, and taking control of the machine. With remote access trojans (RATs), there’s always an element of control in the attacker’s intentions. In this case, if the attacker can take control of the machine, they can likely follow an individual right into their corporate infrastructure. This could lead to the creation of a backdoor into the infrastructure, which would give the attacker a way to circumvent most security controls in order to monitor the infrastructure, understand security and response tactics, then execute a ransomware attack or data exfiltration attack on the organization,” explains Hank Schless, Senior Manager, Security Solutions at Lookout, a California-based endpoint-to-cloud security company.

Schless says it’s critical to understand the risk profile of every user and device across an organization’s infrastructure and be able to provide continuous conditional access based on that risk. He adds, “You also need to understand how your users interact with cloud apps and the data stored within them. As this mindset moves to the top of the list for most organizations, they’re turning to cloud access security broker (CASB) solutions to help implement the necessary visibility and security. Automated user and entity behavior analytics (UEBA) policies that can detect behavior anomalous indicative of a compromised account are key to any security strategy.” Cisco, for example, suggests that organizations inspect outgoing connections to cloud computing services for malicious traffic.

Threat actors use well-known cloud services in their campaigns because the public passively trusts big companies to be secure, explains Davis McCarthy, Principal Security Researcher at Valtix, a California-based cloud-native network security services provider. “Network defenders may think communications to an IP address owned by Amazon or Microsoft is benign because those communications occur so frequently across a myriad of services. The use of dynamic DNS gives the threat actor a flexible infrastructure that doesn’t require a static IP address. This prevents campaign disruption and provides a layer of obfuscation when threat hunting for a specific dynamic DNS provider’s domain. Creating an inventory of known cloud services and their network communication behaviors may aid in detecting this type of campaign.”

This attack highlights a fundamental principle that is at the core of security for enterprise organizations, says Miclain Keffeler, Application Security Consultant at nVisium, a Virginia-based application security provider. “Security is an onion, so relying on any one given tool like email security, antivirus protection, or even just your people is a recipe for disaster. By having layers, we can not only prevent more attacks, but the attacks that do get through — and they always do — will be more easily remediated. Not to mention, the costs incurred by the company will be significantly lessened since there will be more than one way to root it out — and, ultimately, stop it. Enterprise organizations have a large role to play in this conundrum, but so do public cloud platforms. It is equally their responsibility to ensure that when malicious usage of their services and cloud environment are found, they are immediately halted. These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”