Cloud Security, Cloud Security, Malware

Threat actor sends RATs via popular AWS and Azure cloud services

Visitors arrive at the cloud pavillion of Amazon Web Services at a technology trade fair on March 14, 2016, in Hanover, Germany. (Sean Gallup/Getty Images)

Researchers on Wednesday reported that a threat actor has been using popular cloud services such as Microsoft Azure and Amazon Web Services (AWS) to launch remote administration trojans (RATs) across organizations in the United States, Italy and Singapore.

In a blog post, Cisco Talos researchers said this threat actor — along with many other threat actors — now launch campaigns without having to host their own infrastructure. This specific threat actor started these activities around Oct. 26 of last year.

The researchers said the RATs are distributed via phishing emails with malicious ZIP attachments and aim to take control over the victim’s environment to execute arbitrary commands remotely and steal sensitive information. The ZIP files contain an ISO image with a malicious JavaScript loader, a Windows batch file or Visual Basic script. Once an attacker executes the first script on a victim’s computer, it connects to a download server and goes to the next stage, which the attackers host on an Azure cloud-based Windows server or an AWS EC2 instance.

To deliver the malware payload, the threat actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware variants associated with the campaign are variants of the following RATs: Netwire, Nanocore and AsyncRAT.

Threat actors use well-known cloud services in their campaigns because the public passively trusts that big companies are secure, said Davis McCarthy, principal security researcher at Valtix. McCarthy said network defenders may think communications to an IP addresses owned by Amazon or Microsoft are benign because those communications occur so frequently across a myriad of services.

“The use of dynamic DNS gives the threat actor a flexible infrastructure that doesn’t require a static IP address,” McCarthy said. “This prevents campaign disruption and provides a layer of obfuscation when threat hunting for a specific dynamic DNS provider's domain. Creating an inventory of known cloud services and their network communication behaviors may aid in detecting this type of campaign.”

Nasser Fattah, steering committee chair for North America at Shared Assessments, said just like legitimate businesses, threat actors also look to technical innovations, like the cloud to further automate, optimize and launch their attacks. 

“Cloud capabilities like auto-scaling (automatically increasing computing power), enable threat actors to increase and amplify attacks,” Fattah said. “What better way to improve and scale their own operations. I would also expect threat actors — just like legitimate companies — to have a multi-cloud strategy for resiliency and redundancy.”

Garret Grajek, CEO at YouAttest, added that given the ease and rapidity of the IaaS and PaaS offerings from the major cloud providers, it's a “no-brainer” that the hackers would use them to launch attacks. 

“What this means for us, the ‘good guys,’ is that the whack-a-mole approach of blocking IPs and resources has become all but impossible in helping us to identify the command-and-control hacker centers,” Grajek said. “Instead, enterprises need to focus on the activities of the attack — that is, the exfiltration of data and the identity changes in the enterprise to stay persistent.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.