Load Malware from Public Cloud Campaign

Organizations are on a journey to cloud and more and more workload is being shifted to the cloud every single day.

Enterprise Shift To Cloud

Threat actors are also tagging along on this journey, and for the very same reasons that enterprises are adopting cloud.

Bad Guys Are Also Moving to Cloud

Some of the reasons that make public cloud very attractive for the threat actors are:

• It helps them avoid detection, because well known public cloud vendors are usually whitelisted on security controls such as firewall.
• They can quickly setup their infrastructure. This specially helps them when a take down of their earlier infrastructure happens, they simply setup a new instance and continue their operations.
• Low cost of ownership, always up, no maintenace and scalability are some other reaons that makes public cloud such an attract place to hide.

Why Cloud is Attractive for Threat Actors

One such campaign by threat actors was recently discovered by Cisco Talos threat intelligence team, where actors were using public cloud to store malware. The malware used in this campaign are remote access tools (RAT) that are used to remotely control an infected machine and steal secrets. NANOCORERAT, NETWIRERAT and ASYNCRAT are the specific malware used in this campaign.

The threat vector is a phishing email containing a zip file, if the user opens that file it contains an ISO which is highly obfuscated using several layers. So a de-obfuscation routine runs in four stages and unpacks the downloader which then goes and brings the malware from the public cloud.

Flow of Campaign Operation

Dowloader De-Obfuscation Process in Four Stages

The campaign is using DuckDNS that doesn’t tie them to a static IP address and also they can dynamically change their domains in case of takedowns.

The campaign mainly impacted users in US, Italy and Singapore.

Following are some remediations that organizations can take to avoid getting hit by this campaign.

• Kill the attack early on in the chain by having effective email protections like phishing detections, marking external email and training users.
• Having strict code execution policies on endpoints prevents malware to take foothold.
• Having User Behavior Analytics ( UBA ) and User Entity Behavior Analytics (UEBA) help identify anomalous entities on your network.
• Monitoring traffic to public cloud by using a broker solutions like Cloud access security broker (CASB).

So what are public cloud vendors doing to prevent the misuse of their infrastructure? We will cover this topic in another article.