Researchers at Cisco Talos have uncovered a cyber espionage campaign using public cloud services from Amazon and Microsoft to deploy a trio of commercial remote access trojans (RATs) and steal data from infected machines.
The campaign was discovered in October 2021, with most victims based in the US, Canada, Italy and Singapore.
The threat actors appear to be using popular cloud services to save time, money and effort when it comes to setting up attack infrastructure. It also helps to make attackers’ activities harder to track and trace.
As with many campaigns, the attack chain begins with a phishing email, often disguised as an invoice.
These mails contains a ZIP file attachment that, when opened, reveals an ISO image. The ISO file contains malicious loader for the Trojan in the form of JavaScript, a Visual Basic script, or a Windows batch file.
These scripts are designed to deploy AsyncRAT, Nanocore and Netwire RATs, and are triggered when a victim attempts to load the disk image.
The script connects to a server to download the next-stage payload hosted on an AWS EC2 instance or Azure Cloud-based Windows server, eventually leading to the deployment of various different RATs.
The AsyncRAT, Nanocore and Netwire RAT families have been used in the past for everything from cyberespionage campaigns to business email compromise attacks.
“These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer explained in a blog post.
The downloader scripts used in this attack employ a number of obfuscation methods to mask their operations. There are four layers of obfuscation in JavaScript, while the VBScript file uses PowerShell commands.
Similarly, the Windows batch file includes obfuscated commands that invoke PowerShell to pick up its payload.
To further cover their tracks, the attackers use DuckDNS, a free dynamic DNS service that enables them to change the domain names of the C2 hosts. Researchers found that the attackers have registered several malicious subdomains using the service.
Cisco Talos is advising admins to counter the attack by inspecting outgoing connections to cloud computing services for malicious traffic.
“Organisations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets.
“Defenders should monitor traffic to their organisation and implement robust rules around the script execution policies on their endpoints.”
“It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”