Threats actors use Microsoft Azure to host malware and C2 servers
- This development came to light after security researchers discovered malware on the platform.
- The samples found by the researchers were undetected on Azure servers.
Popular cloud platform Microsoft Azure was found to have malicious software in its platform. Instances of malicious samples were discovered by two security researchers @JayTHL and @malwrhunterteam. The researchers reported these samples to Microsoft on May 12. However, according to security firm AppRiver, the samples are still said to be active on Azure. Microsoft's antivirus program Windows Defender detects both these malicious samples.
What samples were detected?
- As per AppRiver’s analysis, two samples were uploaded on VirusTotal at the end of April this year. The first sample ‘searchfile.exe’ was uploaded on April 26, 2019, while the second one called ‘printer/prenter.exe’ was submitted on April 30, 2019. Windows Defender detects ‘searchfile.exe’ as Trojan:Win32/Occamy.C.
- Both these samples were undetected on Azure. The analysis of ‘printer/prenter.exe’ revealed that the sample was an uncompiled c# .net portable executable file. Experts say that the uncompiled nature of the file is a technique to evade antivirus solutions. The sample when executed initiates built-in visual c# compiler to drop the payload.
- Malicious agents in ‘printer/prenter.exe’ generate XML SOAP requests to communicate with a malicious Azure command-and-control (C2) site.
Bots in action
In a tweet, @JayTHL mentions the agent in ’printer/prenter.exe’ which checks in every two minutes for communication. “it looks like a simple agent.c# .net exe isn't packed. checks in every ~120 seconds and just runs whatever commands come back. if bots get a sequential ID, there's about 90 bots right now,” Jay tweeted.
Abusing cloud platforms
Lately, Azure has become a new means to store and host malicious software for threat actors. In fact, attackers have started abusing cloud platforms and services such as Google Cloud, AWS etc., in order to carry out attack campaigns stealthily.