New cyberattack campaign uses public cloud infrastructure to spread RATs

A recently discovered attack campaign uses public cloud infrastructure to deliver variants of commodity remote access Trojans (RATs)–Nanocore, Netwire, and AsyncRATs–to target users’ data, researchers report.

This campaign, detected in October, underscores how attackers are increasing their use of cloud technologies to achieve their goals without having to host their own infrastructure, report the Cisco Talos researchers who observed it. It’s the latest example of adversaries using cloud services, such as Microsoft Azure and Amazon Web Services, to launch their attacks.

“These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments,” researchers wrote in a blog post. The strategy has another benefit, they added: “It also makes it more difficult for defenders to track down the attackers’ operations.”

Most victims in this case are in the United States, Italy, and Singapore, Cisco Secure product telemetry indicates. The remote administration tools (RATs) they’re targeted with are built with multiple features to take control of an environment, remotely execute commands, and steal the target’s information.

An attack starts with a phishing email that contains a malicious ZIP attachment. The ZIP file is an ISO image containing the loader in JavaScript, Visual Basic script, or Windows batch file format. The attackers have attempted to trick recipients by disguising the email as a fake invoice file.

The unknown attackers behind this campaign use four levels of obfuscation for the downloader. Each stage of the deobfuscation process leads to decryption methods for the following stages, which ultimately lead to the download of the final payload. When the initial script is executed on a target machine, it connects to a download server that downloads the next stage, which can be hosted on an Azure-based Windows server or an AWS EC2 instance, researchers said.

To deliver the malware, the attackers registered multiple malicious subdomains using DuckDNS, a free dynamic DNS service that allows a user to create subdomains and maintain the records using the DuckDNS scripts. Some of the malicious subdomains resolve to the download server on Azure Cloud; others resolve to the servers operated as command-and-control (C2) for RATs.

To read the complete article, visit Dark Reading.