A malicious campaign has been discovered spreading variants of NetWire, Nanocore, and AsyncRAT while using public cloud infrastructure to host them. The campaign has been active since October 2021.

The abuse of public cloud services

Cisco Talos found that the hacker group using public cloud including Microsoft and Amazon to host their malware and compromise dynamic DNS for C2 activities.
  • The spear-phishing attacks mostly targeted entities based in countries, including the U.S., Italy, Singapore, and Canada, while some targets were seen in Spain and South Korea as well. The aim was to steal sensitive information.
  • Such campaigns usually begin with an invoice-themed phishing email laden with a ZIP file attachment.
  • Accessing those download next-stage payloads hosted on an AWS EC2 instance or Azure server leads to the deployment of different RATs, including AsyncRAT, Nanocore, and NetWire.

Complex obfuscation behavior

The attackers have used complex code and secured malware using several layers of obfuscation.
  • Researchers had to deobfuscate layer by layer to reveal the next stage payload and thereby reach the final payloads.
  • Additionally, the attackers were using the public cloud as a cloaking mechanism to avoid detection by security solutions.

Additional insights

  • The RATs can be used to obtain unauthorized access to sensitive data, which can be monetized for further attacks.
  • The attackers used a free dynamic DNS service, DuckDNS, to create subdomains for malware delivery.
  • Some subdomains are used as download servers while the other servers are operated as C2 for RAT payloads.

Conclusion

The multi-layered obfuscation technique manifests the complexity with which cybercriminals operate. It also underlines the trend that cybercriminals are increasingly looking for, as well as adopting, innovative ways to hide their malware. The abuse of public cloud services is a recent example of this trend, which is expected to grow further in near future.
Cyware Publisher

Publisher

Cyware