Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
223745 TECHREPUBLIC 2022-1-12:
Cisco Talos discovers a new malware campaign using the public cloud to hide its tracks
1.000 Find similar Compare side-by-side
223683 ZDNET 2022-1-12:
Remote Access Trojans spread through Microsoft Azure, AWS cloud service abuse
0.953 0.584 Find similar Compare side-by-side
223861 ZDNET 2022-1-10:
Abcbot botnet is linked to Xanthe cryptojacking group
0.016 0.520 Find similar Compare side-by-side
223657 ZDNET 2022-1-12:
This new malware wants to create backdoors and targets Windows, Linux and macOS
0.117 0.505 Find similar Compare side-by-side
224200 ARSTECHNICA 2022-1-15:
Backdoor RAT for Windows, macOS, and Linux went undetected until now
0.484 Find similar Compare side-by-side
223681 TECHREPUBLIC 2022-1-12:
US government urges organizations to prepare for Russian-sponsored cyber threats
0.012 0.458 Find similar Compare side-by-side
223865 ZDNET 2022-1-10:
Indian Patchwork hacking group infects itself with remote access Trojan
0.004 0.445 Find similar Compare side-by-side
224056 ZDNET 2022-1-12:
Fortinet: Cybercriminals are exploiting Omicron news to distribute RedLine malware
0.015 0.435 Find similar Compare side-by-side
223821 TECHREPUBLIC 2022-1-10:
URL parsing: A ticking time bomb of security exploits
0.430 Find similar Compare side-by-side
223722 TECHREPUBLIC 2022-1-11:
Google Drive accounted for the most malware downloads from cloud storage sites in 2021
0.426 Find similar Compare side-by-side
223902 VENTUREBEAT 2022-1-13:
Report: Majority of malware downloads in 2021 were traced to cloud apps
0.412 Find similar Compare side-by-side
223908 ZDNET 2022-1-12:
Log4j: How hackers are using the flaw to deliver this new 'modular' backdoor
0.407 Find similar Compare side-by-side
223951 ZDNET 2022-1-14:
SnatchCrypto campaign plants backdoors in crypto startups, DeFi, blockchain networks
0.009 0.405 Find similar Compare side-by-side
224033 ZDNET 2022-1-13:
US Cyber Command links MuddyWater to Iranian intelligence
0.380 Find similar Compare side-by-side
223890 ZDNET 2022-1-11:
DDoS attacks that come combined with extortion demands are on the rise
0.378 Find similar Compare side-by-side
223884 ZDNET 2022-1-11:
Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft
0.354 Find similar Compare side-by-side
223723 ZDNET 2022-1-11:
CISA: Russian state-sponsored groups exploited vulnerabilities in Microsoft, Cisco, Oracle tools
0.349 Find similar Compare side-by-side
223798 TECHREPUBLIC 2022-1-10:
Weekly cyberattacks jumped by 50% in 2021, with a peak in December due largely to the Log4J exploit
0.341 Find similar Compare side-by-side
224036 ZDNET 2022-1-13:
Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry
0.337 Find similar Compare side-by-side
223863 ZDNET 2022-1-10:
Ransomware warning: Cyber criminals are mailing out USB drives that install malware
0.332 Find similar Compare side-by-side
223645 ZDNET 2022-1-11:
2021 was a terrible year for cybersecurity. Without action, 2022 could be even worse
0.321 Find similar Compare side-by-side
224009 ARSTECHNICA 2022-1-13:
New Chrome security measure aims to curtail an entire class of Web attack
0.314 Find similar Compare side-by-side
224301 ZDNET 2022-1-14:
Ukraine says more than 70 government websites were defaced, 10 were subjected to 'unauthorized interference'
0.311 Find similar Compare side-by-side
223885 ZDNET 2022-1-11:
Cybersecurity: Last year was a record year for attacks, and Log4j made it worse
0.303 Find similar Compare side-by-side
223815 ZDNET 2022-1-10:
CISA director: 'We have not seen significant intrusions' from Log4j -- yet
0.286 Find similar Compare side-by-side

1

ID: 223745

URL: https://www.techrepublic.com/article/cisco-talos-discovers-a-new-malware-campaign-using-the-public-cloud-to-hide-its-tracks/

Date: 2022-01-12

Cisco Talos discovers a new malware campaign using the public cloud to hide its tracks

Talos, Cisco's cybersecurity research arm, reports it has detected a new malware campaign that is using public cloud infrastructure to host and deliver variants of three remote access trojans (RATs) while maintaining enough agility to avoid detection. The campaign, which Talos said began in late October 2021, has been seen primarily targeting the United States, Canada, Italy and Singapore, with Spain and South Korea also being popular targets for this latest attack.  Password breach: Why pop culture and passwords don't mix (free PDF). (TechRepublic). Public cloud services like AWS and Microsoft Azure were both cited by Talos as having played host to the malware, and the attackers also used some serious obfuscation in their downloader. These attacks are evidence that threat actors are actively using cloud services as part of the latest form of attack, and that means trouble for vulnerable organizations. The attacks that Talos detected involve variants of three RATs: Nanocore, Netwire and AsyncRAT, each of which is commercially available (also known as a commodity RAT). Each of the tools, Talos said, was being deployed with the goal of stealing user information. Infections caused as a part of the campaigns that Talos discovered are coming via phishing emails that contain malicious ZIP files that contain either a Javascript, Windows batch file or Visual Basic script. That file, in turn, downloads the actual malware from an Azure Windows server or AWS EC2 instance.  In order to deliver the malware, the attackers used the free dynamic DNS (DDNS) service DuckDNS to redirect traffic. DDNS allows site owners to register a URL to a non-static IP address. In combination with using web services to host malware, DDNS makes it much harder to identify where the attack is coming from.  The attackers further hide their intent with four different layers of obfuscation. Talos says the JavaScript version of the downloader is using four different functions to decrypt itself, and nested inside each encrypted layer is the method by which it is further decrypted. Decryption begins with the ejv() function, which is normally used for validating JSON files. Once it does the first layer of decryption, evj() hands code with one layer of encryption removed that has to be further decrypted using the Ox$() general purpose library. At layer three, the decryption process uses "another obfuscated function which has multiple function calls returning values and a series of eval() functions," Talos said. Those eval() calls in turn use Ox$() to decrypt it yet again. Google Chrome: Security and UI tips you need to know (TechRepublic Premium). Lastly, obfuscation layer four uses the third-level function and some of its own self-decryption logic to decrypt the dropper and download the malware. Along with downloading it, layer four also adds a registry key to establish persistence, configures scheduled tasks for itself, attempts to mess with the alternate data stream attribute of NTFS files to hide its source, and fingerprints the machine. As is the case with many attacks, this one is complicated beneath the surface, but it still relies on human error to get its foot in the door. That said, the normal recommendations of "train your staff and install good security software" apply.  Talos adds that organizations should monitor their inbound and outbound traffic to ensure they're not letting suspicious traffic pass by, restrict script execution at endpoints, and ensure you have a solid, reliable email filtering service in place.  Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays