Threat actors are using Amazon and Microsoft’s public cloud services in their harmful campaigns to deliver commodity remote access trojans (RATs) like Nanocore, Netwire, and AsyncRAT to siphon sensitive data from victim systems.
Researchers from Cisco Talos claimed in a study provided with The Hacker News that the spear-phishing assaults, which began in October 2021, have predominantly targeted companies in the United States, Canada, Italy, and Singapore.
Employing existing infrastructure to support invasions is becoming more common as it eliminates the need for attackers to run their own servers, not to mention using it as a cloaking device to avoid detection by security solutions.
Collaboration and communication applications such as Discord, Slack, and Telegram have recently found their way into many infection chains to take over and exfiltrate data from victim machines. In this light, cloud platform abuse is a tactical extension that attackers can utilize as a first step into a wide range of networks.
It all starts with an invoice-themed phishing email containing a ZIP file attachment that, when opened, initiates an attack sequence that downloads next-stage payloads hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, culminating in the deployment of various RATs such as AsyncRAT, Nanocore, and Netwire.
The use of DuckDNS, a free dynamic DNS service, to generate malicious subdomains to deliver malware is also noteworthy, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud and other servers serving as C2 for RAT payloads.
see hijacked websites being used to host malware and other infrastructure, demonstrating that these adversaries will use any and all ways to obtain access to victims.”