I. Targeted Entities
- Amazon Web Services
- Azure Cloud Services
Cybercriminals are taking advantage of Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), all aimed to collect sensitive information from select users. According to researchers at Cisco Talos, threat actors have been distributing variants of the malware known as AsyncRAT, Netwire, and Nanocore since October 2020, mainly to targets in Italy, Singapore, South Korea, Spain, and the United States.
III. Background Information
Researchers say that using cloud services to host the payloads is a decision made in order to avoid detection while cutting the costs of the campaign since the attackers don’t have to set up their own infrastructure. It also makes it more difficult for defenders to track down the attackers. The threat actor behind this campaign maintains a distributed infrastructure consisting of download servers, command-and-control servers (C2s), and malicious subdomains, researchers said. The download servers are hosted on Microsoft Azure and AWS. These well-known cloud services are used because of the inherent trust the public has with the well-known companies to be secure. Network defenders may think that communications to an IP address owned by Microsoft or Amazon are innocent because of the multitude of benign communications they frequently see across multiple services.
The RATs used in this campaign include:
- AsyncRAT: used to remotely monitor and control computers through a secure, encrypted connection to a C2 server. It also contains a keylogger, screen recorder, and a system configuration manager, which allows the attacker to steal confidential data from the victim’s machine
- NetwireRAT: a known threat used by attackers to steal victims’ passwords, login credentials, and credit card data. It can also remotely execute the commands and collect file-system information
- Nanocore: a 32-bit .Net portable executable, which was first seen in 2013. The version used in this campaign contains two plugins, called Client and SurveillanceEX. Client, and handles the communications with the C2 server, and SurveillanceEX captures video and audio, as well as monitoring remote desktop activity.
Talos researchers suggest that organizations deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages, and break the infection chain as early as possible.”
Miclain Keffeler, an application security consultant at nVisium, noted that the rise in the adoption of cloud technologies has forced a shift in security. But this shift means that cloud providers should also ensure that their systems are secure, saying that it is important for malicious usage of their services to be halted immediately when found. “These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”
IV. MITRE ATT&CK
- T1005 – Data From Local System
Threat actors can search through local system sources such as local databases to find sensitive data prior to exfiltration.
- T1063 – Security Software Discovery
Attackers can become aware of which configurations, software, and sensors that are currently running in a system.
- T1555 – Credentials From Password Stores
Can retrieve passwords from mail and messaging applications.
- T1105 – Ingress Tool Transfer
Payload set to download from C2 onto the compromised host.
- T1059 – Command and Scripting Interpreter
For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
- Monitor Malware
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Implement Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
- Multi-layered Security Controls
Creating a multi-layered security system entails that there are numerous components that shield multiple operational layers.
- Enhance Email Security
Increasing email security allows for the detection and mitigation of malicious emails.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.
(1) Raghuprasad, Chetan, and Vanja Svajcer. “Nanocore, Netwire and AsyncRAT Spreading Campaign Uses Public Cloud Infrastructure.” Cisco Talos Intelligence Group, January 12, 2022. https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html.
(2) Seals, Tara. “Amazon, Azure Clouds Host Rat-Ty Trio in Info-Stealing Campaign.” Threatpost English Global, January 12, 2022. https://threatpost.com/amazon-azure-clouds-rat-infostealing/177606/.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.