Home News Attackers Exploit Cloud Services to Deploy Nanocore, Netwire, and AsyncRAT

Attackers Exploit Cloud Services to Deploy Nanocore, Netwire, and AsyncRAT

A new malware campaign exploits public cloud services like Microsoft Azure and Amazon Web Services to deploy RATs like Nanocore, AsyncRAT, and Netwire.

SHARE
Nanocore Netwire AsyncRAT, Cloud security, cloud computing

Since digitalization began, there has been a significant increase in organizations turning to cloud computing. Most companies leverage multiple cloud environments to host their critical IT infrastructures,  a primary target to cybercriminals. Cybersecurity experts from Cisco Talos recently uncovered a cyberespionage campaign actively exploiting public cloud services like Microsoft Azure and Amazon Web Services to deploy multiple commodity remote access trojans (RATs) like Nanocore, AsyncRAT, and Netwire.

Since October 2021, the campaign mainly targeted organizations in Canada, the U.S., Italy, and Singapore. Attackers reportedly stole sensitive information from the compromised systems.

“These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information. The threat actor, in this case, used cloud services to deploy and deliver variants of commodity RATs with  information-stealing capability,” the researchers said.

Infection Chain

The infection chain begins with a spearphishing email that contains a malicious ZIP file attachment. The ZIP file holds an ISO image containing the loader in JavaScript, Visual Basic script, or a Windows batch file format. Hackers prompt the users to open the attachment mimicking it as an invoice document.

Also Read: Over 300,000 Users Affected by 4 Android Banking Trojans

Once a victim downloads the attachment, the initial script will be executed on the device and automatically connects to a download server to install the next stage. Operators behind this campaign maintained a distributed infrastructure consisting of download servers, command and control servers, and malicious subdomains to distribute the malware payload.

Indicators of Compromise (IOC)

Some of the observed ZIP file names include:

  • WROOT_Invoice_Copy.zip
  • YUEOP_Invoice_Copy.zip
  • HOO8M_Invoice_Copy.zip
  • TROOS_Invoice_Copy.zip
  • TBROO1_Invoice_Copy.zip

“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible,” the researchers added.