A new report from Cisco Talos, the IT vendor’s security research team, details how hackers are increasingly using public cloud services like Azure and AWS that eliminates the need to host their own infrastructure.
Specifically, researchers narrowed in on a fall 2021 campaign that utilized variants of known remote access trojans that were deployed and delivered via cloud services. The remote administration tools (RATs) were packed with features that allowed the operator to take control over the victim’s environment and execute arbitrary commands remotely, researchers say.
When the initial script is executed on the victim’s computer, it connects to a download server to download the next stage, which can be hosted on an Azure cloud-based Windows server of an AWS EC2 instance.
The hackers registered several malicious subdomains using DuckDNS, a free dynamic DNS service, to deliver the malware payload. The hackers use this to regularly change the IP addresses of C2 servers and quickly add new subdomains.
Researchers also discovered an obfuscated PowerShell dropper script built by HCrypt builder associated with the download servers of the campaign.
According to researchers, the malware families used are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.
According to Cisco Talos, this research demonstrates that threat actors are increasingly using cloud services to carry out their malicious activities.
To prevent against these kind of attacks, Cisco Talos advises organizations to monitor their outgoing connections to cloud computing services for malicious traffic. The company also urges organizations to take a multi-layered approach to security.
“Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints,” researchers say. “It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”