Cisco’s Talos Discovers a New Malware Campaign Using Public Clouds

Highlights –

• The attackers used a free dynamic DNS (DDNS) service DuckDNS to redirect traffic and, thus, deliver the malware.
• The primary targets of the campaign were the United States, Canada, Italy, Spain, and Singapore.
• These attacks prove that threat actors are increasingly using cloud services for their attacks, which also means trouble for vulnerable organizations.

Cisco’s cybersecurity division, Talos, has detected a new malware campaign that uses public cloud infrastructure to distribute and host three remote access trojans (RATs) while maintaining enough agility to avoid detection.

The campaign, which started in October 2021, is seen to have targeting countries such as the United States, Canada, Spain, and South Korea. Recent targets include Spain and South Korea.

Talos named various cloud servers to have played host to the malware, and the attackers also used serious obfuscation in the downloader. Such attacks prove that threat actors are using cloud services actively as part of the latest form of attack. This also means trouble for vulnerable organizations.

How to host your malware in the cloud

The attacks that Talos detected involve variants of three RATs: Nanocore, AsyncRAT, Netwire, each of which is commercially available (the other name is commodity RAT). Each of the tools was deployed to steal user information, said Talos.

Infections, as discovered by Talos, were a part of the campaigns and were coming through  phishing emails that carried malicious ZIP files containing a Javascript, Windows batch file or Visual Basic script. In turn, the files download the actual malware from AWS EC2 instance or Azure Windows server.

The attackers used a free dynamic DNS (DDNS) service DuckDNS to redirect traffic and, thus, deliver the malware. With DDNS, site owners can register a URL to a non-static IP address. In combination with using web services to host malware, DDNS makes it much harder to identify where the attack is coming from.

The attackers further use four different layers of obfuscation to hide their intent. Talos says the JavaScript version of the downloader uses four different functions to decrypt itself, and nested within each encrypted layer is the method by which it is later decrypted.

The first step in decryption is the ejv() function, which is used to validate JSON files. As the next step, the evj() delivers code with one layer of encryption removed, which needs to be further decrypted using the Ox$() general purpose library. Coming to the third layer, the decryption process uses “another obfuscated function which has multiple function calls returning values and a series of eval() functions,” Talos said. Those eval() calls in turn use Ox$() to decrypt it yet again.

The fourth layer makes use of the third-level function and  its own self-decryption logic to decrypt the dropper and download the malware. Besides downloading it, the fourth layer also adds a registry key to exhibit persistence. Further, it configures scheduled tasks for itself, attempts to mess with the alternate data stream attribute of NTFS files to hide its source, and fingerprints the machine.

How to avoid cloud-based malware

As with many attacks, the one talked about is complicated beneath the surface. However, to get a foot, it still relies on human error. That said, the normal recommendations of “train your staff and install good security software” apply.

Talos added that organizations should monitor their inbound and outbound traffic to ensure they’re not letting suspicious traffic pass by, restrict script execution at endpoints, and ensure you have a solid, reliable email filtering service in place.