The campaign was first detected in October and is using services like AWS and Azure to hide its tracks and evade detection.
Talos, Cisco’s cybersecurity research arm, reports it has detected a new malware campaign that is using public cloud infrastructure to host and deliver variants of three remote access trojans (RATs) while maintaining enough agility to avoid detection.
The campaign, which Talos said began in late October 2021, has been seen primarily targeting the United States, Canada, Italy and Singapore, with Spain and South Korea also being popular targets for this latest attack.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Public cloud services like AWS and Microsoft Azure were both cited by Talos as having played host to the malware, and the attackers also used some serious obfuscation in their downloader. These attacks are evidence that threat actors are actively using cloud services as part of the latest form of attack, and that means trouble for vulnerable organizations.
How to host your malware in the cloud
The attacks that Talos detected involve variants of three RATs: Nanocore, Netwire and AsyncRAT, each of which is commercially available (also known as a commodity RAT). Each of the tools, Talos said, was being deployed with the goal of stealing user information.
In order to deliver the malware, the attackers used the free dynamic DNS (DDNS) service DuckDNS to redirect traffic. DDNS allows site owners to register a URL to a non-static IP address. In combination with using web services to host malware, DDNS makes it much harder to identify where the attack is coming from.
Decryption begins with the ejv() function, which is normally used for validating JSON files. Once it does the first layer of decryption, evj() hands code with one layer of encryption removed that has to be further decrypted using the Ox$() general purpose library. At layer three, the decryption process uses “another obfuscated function which has multiple function calls returning values and a series of eval() functions,” Talos said. Those eval() calls in turn use Ox$() to decrypt it yet again.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Lastly, obfuscation layer four uses the third-level function and some of its own self-decryption logic to decrypt the dropper and download the malware. Along with downloading it, layer four also adds a registry key to establish persistence, configures scheduled tasks for itself, attempts to mess with the alternate data stream attribute of NTFS files to hide its source, and fingerprints the machine.
How to avoid cloud-based malware
As is the case with many attacks, this one is complicated beneath the surface, but it still relies on human error to get its foot in the door. That said, the normal recommendations of “train your staff and install good security software” apply.
Talos adds that organizations should monitor their inbound and outbound traffic to ensure they’re not letting suspicious traffic pass by, restrict script execution at endpoints, and ensure you have a solid, reliable email filtering service in place.