The campaign uses the public cloud to deliver RAT payloads


Everything moves to the cloud, including threat actors. It now appears that a trio of Remote Access Trojans (RATs) – Nanocore, Netwire and AsyncRAT – are spreading in a campaign that exploits public cloud infrastructure and primarily targets victims in the United States, Italy and Singapore.

By using complex obfuscation techniques in the downloader script, the attackers ensure that “every step in the deobfuscation process leads to the decryption methods so that subsequent steps finally arrive at the actual malicious download method,” according to the Cisco Talos researchers who discovered the malicious. countryside.

“Threat actors are increasingly using cloud technologies to achieve their goals without having to resort to hosting their own infrastructure,” the researchers wrote. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it harder for defenders to track attacker operations.

The attack begins with a phishing email with a malicious ZIP archive file attached. The file contains an ISO image that includes a malicious JavaScript loader, Windows batch file, or Visual Basic script. “When the initial script is run on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure cloud-based Windows server or an AWS EC2 instance,” wrote said the researchers.

The threat author registers several malicious subdomains via DuckDNS which are used to deliver the malware payload, either Netwire, Nanocore or AsyncRAT RAT. Cisco Talos warns that organizations should inspect “outgoing connections to cloud services for malicious traffic.”

The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or a Visual Basic script. When the initial script runs on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure cloud-based Windows server or an AWS EC2 instance.

Organizations should inspect outbound connections to cloud services for malicious traffic. The campaigns described in the article show how attackers are increasingly using popular cloud platforms to host malicious infrastructure.

The researchers also found an obfuscated PowerShell dropper script built by builder HCrypt that was associated with the download servers used in the campaign.

“Organizations should deploy comprehensive, multi-layered security controls to detect similar threats and protect their assets,” the researchers wrote. “Defenders should monitor traffic to their organization and implement strong rules around script execution policies on their endpoints. It is even more important for organizations to improve email security in order to detect and mitigate malicious emails and break the chain of infection as early as possible.

“Today, most organizations use advanced spam filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from running,” said Chris Olson. , CEO of The Media Trust. “But as we’ve seen time and again before, cyber actors adapt to obstacles by changing their tactics – in this case, deploying obfuscated code to evade detection and dynamic DNS to prevent blocking.”

Olson said cloud-based attackers “are a bit behind the game here because we’ve seen these two tactics used for years in AdTech and web-based attacks.”

Stephanie Simpson, vice president of product management at SCYTHE, agrees. “Attacks against remote administration tools are not new. We’ve seen them before for technologies like NetWire and used by cybercriminals like the SlotfhfulMedia malware,” she said. “This is another case of threat actors changing their tactics, techniques and practices (TTP); adapt to new environments.

She said that “when testing security controls, organizations need to start thinking about the different ways malicious actors modify known TTPs to find new ways to attack systems.”


Comments are closed.