Cisco Talos finds a new malware attack using the public clouds to hide its tracks

The campaign was first detected in October. To hide its tracks, it is using Azure and AWS services to evade detection.

Image: Shutterstock/Profit_Image

Talos, Cisco’s cybersecurity arm, reported that it detected a new malware campaign. It uses public cloud infrastructure as a host and delivery point for three variants, while still maintaining enough agility to avoid detection.

Talos stated that the campaign began in October 2021. It was primarily directed at the United States, Canada and Italy. However, it also targeted South Korea and Spain. 

SEE: Password breach: Why pop-culture and passwords don’t mix (free PDF). (TechRepublic)

Talos identified AWS as the victim of the malware and Microsoft Azure and Microsoft Azure as the culprits. They also admitted that the attackers used some serious obfuscation to download the malware. These attacks indicate that threat actors actively use cloud services in the latest attack. This is bad news for vulnerable organizations.

How to host your malware on the cloud

Talos discovered three variants of RATs in the attacks: Nanocore, Netwire, and AsyncRAT. Each of these RATs is available commercially (also known under the name commodity RAT). Talos claimed that each of these tools was being used with the intent of stealing user data.

Talos discovered that infections are being spread via phishing emails that include malicious ZIP files. These ZIP files contain either a Javascript or Windows batch file, as well as Visual Basic scripts. This file then downloads the malware from either an Azure Windows server, or AWS EC2 instance. 

The attackers used DuckDNS, a free dynamic DNS (DDNS), service to redirect traffic in order to distribute the malware. Site owners can register a URL to a non static IP address with DDNS. DDNS, in combination with web services that host malware makes it harder to pinpoint the source of the attack. 

Four layers of obfuscation are used by the attackers to conceal their intentions. Talos claims that the JavaScript version is using four functions to decrypt itself. Each encrypted layer contains the method it uses to further decrypt.

The ejv is the first step in decryption.()This function is used to validate JSON files. After it completes the first layer decryption, evj()Hands code with one layer removed of encryption that must be decrypted further using the Ox$()Library for general purposes. Layer three is where the encryption process uses “another opaque function that has multiple function calls returning value and a series eval() functions,” Talos said. Those eval()Calls in turn use Ox$()You can decrypt it again.

SEE: Google Chrome: Security tips and UI tricks you should know (TechRepublic Premium)

Finally, the fourth layer of obfuscation uses the third-level function as well as some of its own self decryption logic in order to decrypt the dropper. Layer four adds a registry keys to establish persistence, configures scheduled task for itself, attempts tamper with the alternate data stream attribute in NTFS files, and fingerprints it.

How to avoid cloud-based malware

This attack, like many others, is complex beneath the surface. However, it still relies upon human error to get in the door. The usual recommendations to “train your staff” and “install good security software” still apply. 

Talos also recommends that organizations monitor inbound and outbound traffic to prevent suspicious traffic from passing by. They should also restrict script execution at the endpoints. Finally, ensure you have a reliable and reliable email filtering service. 

Also see