article featured image


Researchers have identified a malicious campaign leveraging a trio of remote access trojans that target Amazon Web Services (AWS) along with Azure Cloud Services. The threat actors’ goal is to steal victims’ data and carry out RCE (remote code execution).

What RATs Are Leveraged in This Triad?

Experts from Cisco Talos published a report on this topic. According to them, the following malware families were used in this trio RAT campaign: AsyncRAT, NetwireRAT, and Nanocore.


By means of secure C2 server encrypted connections, it facilitates the control and monitoring of computers. Threat actors can perform confidential data theft through its keylogger, screen recorder, and system configuration manager features.


It serves the purpose of passwords, login credentials, and payment info stealing. Besides, hackers can use it to gather file-system data or perform remote execution of different commands.


Nanocore stands for a 32-bit .NET portable executable (PE) and consists of 2 plugins dubbed SurveillanceEx and Client. The first performs video and audio capturing, while the second manages the communications with the C2 server.

The Trio RAT Campaign: Details

As researchers highlight, hackers use since October malware variants like AsyncRAT, Netwire, and Nanocore to target Italy, the United States, Singapore, or victims from South Korea and Spain.

The trio RAT campaign’s first step is the distributing of a phishing email that encompasses a malicious ZIP attachment.

These .ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. (…) When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.


Creating a Cloud-Based Malicious Campaign

It’s worth mentioning that threat actors use a technique that helps them achieve two things: one is avoiding detection, the other is cutting the campaign’s costs because they do not own their personal infrastructure. The method they leverage is to host payloads within cloud services.

The hackers manage a distributed infrastructure that includes malicious subdomains, C&C servers along with download servers that refer to the ones hosted on AWS cloud and Microsoft Azure services.

What’s more, is the nature of the malicious campaign’s JavaScript downloader that shows characteristics like the four-layer obfuscation method in its script. Then, a range of different dropper trojans is being leveraged in this campaign consisting of both a VBScript downloader and a batch-file downloader.

Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. (…) The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function. (…) The batch script contains an obfuscated command that runs PowerShell to download and run a payload from a download server…on Azure Cloud. (…)Obfuscated VB downloaders execute a PowerShell command which runs and connects to the download server…running on AWS EC2.


Eventually, the hackers leverage DuckDNS dynamic DNS service to perform changes to the C2 hosts’ domain names. This helps them with further avoiding detection. According to the researchers, various malicious subdomains were registered by means of this service.

Garret Grajek, the CEO from YouAttest also declared that

The attacks like this one show a team effort in scanning, exploiting, obfuscation and then finally exfiltration.


Recommended Mitigation Measures

The Talos experts recommend organizations to “deploy multi-layered security controls” along with traffic monitoring and setting rules for script execution policies as well as enhancing the email security strategy in order to keep their assets well protected and work on similar threats detection.

How Can Heimdal™ Help?

Cloud technologies meet a huge interest and adoption nowadays, thus efficient security solutions are required. Our Heimdal™ Threat Prevention was awarded Best Cloud-Delivered Security Solution of the Year at the Networking Computing Awards 2021. It combines cybercrime intelligence, AI-based prevention, and Machine Learning. Use it to prevent future threats with 96 % accuracy!

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *