New RAT Targeting AWS, Azure

By   ISBuzz Team
Writer , Information Security Buzz | Jan 13, 2022 10:11 am PST

Cisco Talos discover Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure. 

  • Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information.
  • … the victims of this campaign are primarily distributed across the United States, Italy and Singapore.
  • The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.
  • … the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.
  • The actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts.
Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Saryu Nayyar
Saryu Nayyar , CEO
January 13, 2022 7:24 pm

<p>The new RAT variant is a perfect example of why it is important to have a cloud-native and multi-cloud next generation threat detection solution like a next generation SIEM. Even more important is that non rule-based true machine learning capabilities are critical to detect emerging variants out of the box. Risk-based user behavioral detection and analytics are a requirement to help security teams pinpoint the unusual commands being executed, unexpected external communications and data leakage of credentials or financial information. As we\’ve seen in many cases, integrated and automated response capabilities, when targeted and low-risk, can accelerate remediation in time to prevent theft.</p>

Last edited 2 years ago by Saryu Nayyar
Garret F. Grajek
January 13, 2022 7:15 pm

<p>The fact that the hackers are constantly modifying their C2 (command-and-control) centers with DuckDNS, a freeware DNS service – just shows how \"by any means necessary\" – the hackers are willing to operate. The attacks like this one – show a team effort in scanning, exploiting, obfuscation and then finally exfiltration. These attacks will not be defeated without a comprehensive security system that concentrates on both prevention and immediate anomaly detection and ability to mitigate.  </p>
<p>Privilege escalation is often part of these attacks to ensure the hacker can laterally move across the enterprise. Thus, it’s imperative to be monitoring both new malware installations and new traffic – but also modifications in access and privilege rights.</p>

Last edited 2 years ago by Garret F. Grajek
Chris Olson
Chris Olson , CEO
January 13, 2022 7:11 pm

<p>Today, most organizations are employing advanced SPAM filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from executing. But as we’ve seen many times before, cyber actors adapt to obstacles by changing their tactics – in this case, by deploying obfuscated code to escape detection, and dynamic DNS to prevent blocking.</p>
<p>But cloud-based attackers are little late to the game here, as we’ve seen both these tactics used for years in AdTech and web-based attacks. Consequently, we have warned our clients not to depend on simple ad blockers – equivalent to antivirus – or domain lists, which are rarely updated quickly enough to reflect the way cyber actors jump between different domain and ad partners.</p>
<p>In the future, we can expect cyberattacks to become more anonymized, dynamic, and harder to detect through automated methods. Organizations must work to better understand the code that is executing throughout their digital environment by continually monitoring activity and carefully vetting their IT partners.</p>

Last edited 2 years ago by Chris Olson

Recent Posts

Would love your thoughts, please comment.x