Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to siphon sensitive information from compromised systems.
Nanocore
Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
Netwire
Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.
AsyncRAT
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.
The threat actor in this case used cloud services to deploy and deliver variants of commodity RATs with the information stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information.
The initial infection vector
The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.
Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.
The observed campaigns are using variants of Nanocore, Netwire and AsyncRAT as payloads. These are commodity RATs that were widely used in other campaigns.
Like many other similar campaigns, this one seems to be starting through an invoice-themed phishing email containing a ZIP file attachment. When a user downloads the zip file to and unzips the file, the sequence triggers.The execution triggers an attack sequence that downloads next-stage payloads hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, ultimately culminating in the deployment of different RATs, including AsyncRAT, Nanocore, and Netwire.
It is also observed that these malicious payloads are often hosted on compromised webservers. So the criminals are quite smart, they utilize compromised web hostings to launch another bigger campaign.
We recommend the readers to
- Beware of phishing campaigns hitting you (ofcourse). They are spearphished and may come in very deceptive skins.
- Scan your infrastructure continuously. We recommend periodic scanning if possible. Reach out to Cybermetrics if you need more help on this.
