Amazon and Azure Cloud Services Abused in a Malicious Trio RAT Campaign
Threat Actors Employ a Cocktail of Remote Access Trojans to Perform Private Data Theft.
Researchers have identified a malicious campaign leveraging a trio of remote access trojans that target Amazon Web Services (AWS) along with Azure Cloud Services. The threat actors’ goal is to steal victims’ data and carry out RCE (remote code execution).
What RATs Are Leveraged in This Triad?
By means of secure C2 server encrypted connections, it facilitates the control and monitoring of computers. Threat actors can perform confidential data theft through its keylogger, screen recorder, and system configuration manager features.
It serves the purpose of passwords, login credentials, and payment info stealing. Besides, hackers can use it to gather file-system data or perform remote execution of different commands.
Nanocore stands for a 32-bit .NET portable executable (PE) and consists of 2 plugins dubbed SurveillanceEx and Client. The first performs video and audio capturing, while the second manages the communications with the C2 server.
The Trio RAT Campaign: Details
As researchers highlight, hackers use since October malware variants like AsyncRAT, Netwire, and Nanocore to target Italy, the United States, Singapore, or victims from South Korea and Spain.
The trio RAT campaign’s first step is the distributing of a phishing email that encompasses a malicious ZIP attachment.
Creating a Cloud-Based Malicious Campaign
It’s worth mentioning that threat actors use a technique that helps them achieve two things: one is avoiding detection, the other is cutting the campaign’s costs because they do not own their personal infrastructure. The method they leverage is to host payloads within cloud services.
The hackers manage a distributed infrastructure that includes malicious subdomains, C&C servers along with download servers that refer to the ones hosted on AWS cloud and Microsoft Azure services.
Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. (…) The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function. (…) The batch script contains an obfuscated command that runs PowerShell to download and run a payload from a download server…on Azure Cloud. (…)Obfuscated VB downloaders execute a PowerShell command which runs and connects to the download server…running on AWS EC2.
Eventually, the hackers leverage DuckDNS dynamic DNS service to perform changes to the C2 hosts’ domain names. This helps them with further avoiding detection. According to the researchers, various malicious subdomains were registered by means of this service.
Garret Grajek, the CEO from YouAttest also declared that
The attacks like this one show a team effort in scanning, exploiting, obfuscation and then finally exfiltration.
Recommended Mitigation Measures
The Talos experts recommend organizations to “deploy multi-layered security controls” along with traffic monitoring and setting rules for script execution policies as well as enhancing the email security strategy in order to keep their assets well protected and work on similar threats detection.
How Can Heimdal™ Help?
Cloud technologies meet a huge interest and adoption nowadays, thus efficient security solutions are required. Our Heimdal™ Threat Prevention was awarded Best Cloud-Delivered Security Solution of the Year at the Networking Computing Awards 2021. It combines cybercrime intelligence, AI-based prevention, and Machine Learning. Use it to prevent future threats with 96 % accuracy!