Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
223683 ZDNET 2022-1-12:
Remote Access Trojans spread through Microsoft Azure, AWS cloud service abuse
1.000 Find similar Compare side-by-side
223745 TECHREPUBLIC 2022-1-12:
Cisco Talos discovers a new malware campaign using the public cloud to hide its tracks
0.953 0.584 Find similar Compare side-by-side
223861 ZDNET 2022-1-10:
Abcbot botnet is linked to Xanthe cryptojacking group
0.006 0.469 Find similar Compare side-by-side
223657 ZDNET 2022-1-12:
This new malware wants to create backdoors and targets Windows, Linux and macOS
0.048 0.460 Find similar Compare side-by-side
224200 ARSTECHNICA 2022-1-15:
Backdoor RAT for Windows, macOS, and Linux went undetected until now
0.460 Find similar Compare side-by-side
223865 ZDNET 2022-1-10:
Indian Patchwork hacking group infects itself with remote access Trojan
0.455 Find similar Compare side-by-side
223951 ZDNET 2022-1-14:
SnatchCrypto campaign plants backdoors in crypto startups, DeFi, blockchain networks
0.028 0.449 Find similar Compare side-by-side
224056 ZDNET 2022-1-12:
Fortinet: Cybercriminals are exploiting Omicron news to distribute RedLine malware
0.436 Find similar Compare side-by-side
223722 TECHREPUBLIC 2022-1-11:
Google Drive accounted for the most malware downloads from cloud storage sites in 2021
0.428 Find similar Compare side-by-side
223908 ZDNET 2022-1-12:
Log4j: How hackers are using the flaw to deliver this new 'modular' backdoor
0.400 Find similar Compare side-by-side
223902 VENTUREBEAT 2022-1-13:
Report: Majority of malware downloads in 2021 were traced to cloud apps
0.378 Find similar Compare side-by-side
223884 ZDNET 2022-1-11:
Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft
0.362 Find similar Compare side-by-side
223966 ZDNET 2022-1-14:
Amazon fixes security flaw in AWS Glue service
0.362 Find similar Compare side-by-side
224033 ZDNET 2022-1-13:
US Cyber Command links MuddyWater to Iranian intelligence
0.358 Find similar Compare side-by-side
223794 ZDNET 2022-1-11:
AWS launches new EC2 instance type for high performance computing tasks
0.356 Find similar Compare side-by-side
224038 ZDNET 2022-1-13:
UK jails man for spying on kids, adults with Remote Access Trojans
0.354 Find similar Compare side-by-side
223890 ZDNET 2022-1-11:
DDoS attacks that come combined with extortion demands are on the rise
0.330 Find similar Compare side-by-side
223981 VENTUREBEAT 2022-1-13:
Virtana, which helps companies to manage multiple cloud environments, raises $73M
0.323 Find similar Compare side-by-side
223779 VENTUREBEAT 2022-1-11:
How managed services will evolve in 2022
0.315 Find similar Compare side-by-side
224041 ZDNET 2022-1-12:
Check your SPF records: Wide IP ranges undo email security and make for tasty phishes
0.309 Find similar Compare side-by-side
223804 ZDNET 2022-1-11:
Microsoft: This macOS bug could bypass controls and access private user data
0.304 Find similar Compare side-by-side
224036 ZDNET 2022-1-13:
Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry
0.303 Find similar Compare side-by-side
223681 TECHREPUBLIC 2022-1-12:
US government urges organizations to prepare for Russian-sponsored cyber threats
0.302 Find similar Compare side-by-side
223821 TECHREPUBLIC 2022-1-10:
URL parsing: A ticking time bomb of security exploits
0.298 Find similar Compare side-by-side
223656 VENTUREBEAT 2022-1-12:
Eureka emerges from stealth to secure cloud data stores with automation
0.295 Find similar Compare side-by-side

1

ID: 223683

URL: https://www.zdnet.com/article/remote-access-trojans-spread-through-microsoft-azure-aws-cloud-service-abuse/

Date: 2022-01-12

Remote Access Trojans spread through Microsoft Azure, AWS cloud service abuse

It seems that one or two Trojans aren't enough for your average cyberattacker. A recent campaign leveraging public cloud infrastructure is deploying not one, but three commercial Remote Access Trojans (RATs). The best antivirus software and apps A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses. Read More Nanocore, Netwire, and AsyncRAT payloads are being deployed from public cloud systems in what Cisco Talos suggests is a way for cyberattackers to avoid having to own or manage their own private, paid infrastructure -- such as through 'bulletproof' hosting which may eventually capture the interest of law enforcement. This abuse allows cybercriminals to leverage the resources of cloud services managed by vendors including Microsoft Azure and Amazon Web Services (AWS) for malicious purposes.  "These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments," Talos says. "It also makes it more difficult for defenders to track down the attackers' operations." On Wednesday, Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said that a new campaign based on public cloud infrastructure was discovered in October 2021 and the majority of victims are based in the US, Canada, and Italy – however, a handful appear to be from Spain and South Korea.  The attack chain begins in a typical fashion: through a phishing email, often disguised as an invoice.  These messages have .ZIP files attached which, once opened, reveal an ISO image. The ISO file is equipped with a malicious loader for the Trojans through either JavaScript, a Windows batch file, or a Visual Basic script.  If a victim attempts to load the disk image, these scripts will trigger. Designed to deploy Nanocore, Netwire, and AsyncRAT, the scripts will reach out to a download server to snag a payload -- and this is where a public cloud service comes into play.  However, the downloader scripts use obfuscation techniques to hide these activities. The JavaScript contains four layers of obfuscation with each new, malicious process generated after the previous layer is peeled back; the batch file contains obfuscated commands that run PowerShell to pick up its payload, and the VBScript file also utilizes PowerShell commands. A PowerShell dropper built with HCrypt was also detected.  The attackers behind the campaign manage a variety of payload hosts, command-and-control (C2) servers, and malicious subdomains. The majority detected, so far, are hosted on Azure and AWS.    "Some of the download servers are running the Apache webserver application," the researchers say. "The HTTP servers are configured to allow the listing of open directories that contain variants of NanocoreRATs, Netwire RAT, and AsyncRATs malware." In addition, the operators abuse DuckDNS, a legitimate dynamic DNS service for pointing subdomains at IP addresses. The service is used to manage malware downloads via malicious DuckDNS subdomains and to mask the names of the C2 hosts, according to Talos.  Netwire, Nanocore, and AsyncRAT are popular commercial Trojan strains that are widely used by threat actors to remotely access and hijack vulnerable machines, steal user data, and conduct surveillance by means including audio and camera capture. "Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints," the researchers commented. "It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible." Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0