Cisco Talos discover Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure.
- Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information.
- … the victims of this campaign are primarily distributed across the United States, Italy and Singapore.
- The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.
- … the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.
- The actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts.
<p>The new RAT variant is a perfect example of why it is important to have a cloud-native and multi-cloud next generation threat detection solution like a next generation SIEM. Even more important is that non rule-based true machine learning capabilities are critical to detect emerging variants out of the box. Risk-based user behavioral detection and analytics are a requirement to help security teams pinpoint the unusual commands being executed, unexpected external communications and data leakage of credentials or financial information. As we\’ve seen in many cases, integrated and automated response capabilities, when targeted and low-risk, can accelerate remediation in time to prevent theft.</p>
<p>The fact that the hackers are constantly modifying their C2 (command-and-control) centers with DuckDNS, a freeware DNS service – just shows how \"by any means necessary\" – the hackers are willing to operate. The attacks like this one – show a team effort in scanning, exploiting, obfuscation and then finally exfiltration. These attacks will not be defeated without a comprehensive security system that concentrates on both prevention and immediate anomaly detection and ability to mitigate. </p>
<p>Privilege escalation is often part of these attacks to ensure the hacker can laterally move across the enterprise. Thus, it’s imperative to be monitoring both new malware installations and new traffic – but also modifications in access and privilege rights.</p>
<p>Today, most organizations are employing advanced SPAM filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from executing. But as we’ve seen many times before, cyber actors adapt to obstacles by changing their tactics – in this case, by deploying obfuscated code to escape detection, and dynamic DNS to prevent blocking.</p>
<p>But cloud-based attackers are little late to the game here, as we’ve seen both these tactics used for years in AdTech and web-based attacks. Consequently, we have warned our clients not to depend on simple ad blockers – equivalent to antivirus – or domain lists, which are rarely updated quickly enough to reflect the way cyber actors jump between different domain and ad partners.</p>
<p>In the future, we can expect cyberattacks to become more anonymized, dynamic, and harder to detect through automated methods. Organizations must work to better understand the code that is executing throughout their digital environment by continually monitoring activity and carefully vetting their IT partners.</p>