Campaign Uses Public Cloud to Spread RAT Payloads

Everything is migrating to the cloud, including threat actors. Now it seems a trio of remote access Trojans (RATs)—Nanocore, Netwire and AsyncRAT—are being spread in a campaign that taps public cloud infrastructure and is primarily aimed at victims in the U.S., Italy and Singapore.

By using complex obfuscation techniques in the downloader script, the attackers ensure that “each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method,” according to Cisco Talos researchers who discovered the malicious campaign.

“Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure,” the researchers wrote. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations.”

The attack starts with a phishing email with a malicious ZIP archive file attached. The file contains an ISO image that includes a malicious loader in either JavaScript, a Windows batch file or a Visual Basic script. “When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure cloud-based Windows server or an AWS EC2 instance,” the researchers said.

The threat actor registers several malicious subdomains through DuckDNS that are used to deliver the malware payload—either Netwire, Nanocore or AsyncRAT RATs. Cisco Talos warns that organizations should inspect “outgoing connections to cloud computing services for malicious traffic.”

The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in the post demonstrate how attackers are increasing their use of popular cloud platforms for hosting malicious infrastructure.

The researchers also found an obfuscated PowerShell dropper script built by HCrypt builder that was associated with the download servers used in the campaign.

“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets,” the researchers wrote. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”

“Today, most organizations are employing advanced spam filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from executing,” said Chris Olson, CEO at The Media Trust. “But as we’ve seen many times before, cyber actors adapt to obstacles by changing their tactics—in this case, by deploying obfuscated code to escape detection and dynamic DNS to prevent blocking.”

Olson said cloud-based attackers “are a little late to the game here, as we’ve seen both these tactics used for years in AdTech and web-based attacks.”

Stephanie Simpson, vice president of product management at SCYTHE, agreed. “Attacks against remote administration tools are nothing new. We’ve already seen them for technologies like NetWire and being used by cybercriminals like SlotfhfulMedia malware,” she said. “This is another case of threat actors changing their tactics, techniques and practices (TTPs); adjusting to new environments.”

She advised that “when testing security controls, organizations need to start thinking about the different ways that malicious actors are changing known TTPs to find new ways to attack systems.”