Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to siphon sensitive information from compromised systems.
The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News.
Using existing legitimate infrastructure to facilitate intrusions is increasingly becoming part of an attacker’s playbook as it obviates the need to host their own servers, not to mention be used as a cloaking mechanism to evade detection by security solutions.
In recent months, collaboration and communication tools like Discord, Slack, and Telegram have found a place in many an infection chain to commandeer and exfiltrate data from the victim machines. Viewed in that light, the abuse of cloud platforms is a tactical extension that attackers could exploit as a first step into a vast array of networks.
“There are several interesting aspects to this particular campaign, and it points to some of the things we commonly see used and abused by malicious actors,” Nick Biasini, head of outreach at Cisco Talos, told The Hacker News via email.
“From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack.” Read More: https://bit.ly/337oKRH