Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

Hackers buying space from major cloud providers to distribute malware

cloud-computing-freepik1170x658x3.jpg
January 13, 2022

Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users’ information. According to Cisco, the victims of this campaign are primarily distributed across the United States, Italy and Singapore.


The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.

The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. Threat actors, Cisco says, are increasingly using cloud technologies to achieve their objectives without resorting to hosting their own infrastructure, allowing them to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track the attackers’ operations.


The threat actor, in this case, used cloud services to deploy and deliver variants of commodity RATs with the information-stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information.

The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in JavaScript, a Windows batch file or a Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, Cisco researchers found. 


To deliver the malware payload, the threat actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans. “The malware samples that have been observed in this campaign have a breadth of capabilities, including capturing video and audio, recording behavior on the screen, swiping login credentials, and taking control of the machine. With remote access trojans (RATs), there’s always an element of control in the attacker’s intentions. In this case, if the attacker can take control of the machine, they can likely follow an individual right into their corporate infrastructure. This could lead to the creation of a backdoor into the infrastructure, which would give the attacker a way to circumvent most security controls in order to monitor the infrastructure, understand security and response tactics, then execute a ransomware attack or data exfiltration attack on the organization,” explains Hank Schless, Senior Manager, Security Solutions at Lookout, a California-based endpoint-to-cloud security company.


Schless says it’s critical to understand the risk profile of every user and device across an organization’s infrastructure and be able to provide continuous conditional access based on that risk. He adds, “You also need to understand how your users interact with cloud apps and the data stored within them. As this mindset moves to the top of the list for most organizations, they’re turning to cloud access security broker (CASB) solutions to help implement the necessary visibility and security. Automated user and entity behavior analytics (UEBA) policies that can detect behavior anomalous indicative of a compromised account are key to any security strategy.” Cisco, for example, suggests that organizations inspect outgoing connections to cloud computing services for malicious traffic.


Threat actors use well-known cloud services in their campaigns because the public passively trusts big companies to be secure, explains Davis McCarthy, Principal Security Researcher at Valtix, a California-based cloud-native network security services provider. “Network defenders may think communications to an IP address owned by Amazon or Microsoft is benign because those communications occur so frequently across a myriad of services. The use of dynamic DNS gives the threat actor a flexible infrastructure that doesn’t require a static IP address. This prevents campaign disruption and provides a layer of obfuscation when threat hunting for a specific dynamic DNS provider’s domain. Creating an inventory of known cloud services and their network communication behaviors may aid in detecting this type of campaign.”


This attack highlights a fundamental principle that is at the core of security for enterprise organizations, says Miclain Keffeler, Application Security Consultant at nVisium, a Virginia-based application security provider. “Security is an onion, so relying on any one given tool like email security, antivirus protection, or even just your people is a recipe for disaster. By having layers, we can not only prevent more attacks, but the attacks that do get through — and they always do — will be more easily remediated. Not to mention, the costs incurred by the company will be significantly lessened since there will be more than one way to root it out — and, ultimately, stop it. Enterprise organizations have a large role to play in this conundrum, but so do public cloud platforms. It is equally their responsibility to ensure that when malicious usage of their services and cloud environment are found, they are immediately halted. These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”

KEYWORDS: cloud security cyber security information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Malware

    Hackers are Targeting Piracy Apps to Install Malware and Steal Data

    See More
  • workforce

    FBI: Kwampirs Malware Targeting Supply Chain Software Providers

    See More
  • the cloud

    CISA: Hackers bypassed MFA to access cloud service accounts

    See More

Events

View AllSubmit An Event
  • September 3, 2024

    From DDoS Protection to WAAP: How Layered Protection Enhances Your Cybersecurity Strategy

    ON DEMAND: By participating in the webinar, attendees will gain enhanced knowledge of cyber threats and understand the current spectrum of cyber threats facing businesses.
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing