Cloud services used to distribute Netwire, Nanocore, and AsycnRat Malware

Parv Kohli

January 9, 2022

Malicious attackers have been using public cloud services from Amazon and Microsoft in their campaigns to deliver remote access trojans or RATS and use them to steal sensitive information from compromised systems. Employing existing infrastructure to support invasions is becoming more common. It eliminates the need for attackers to run their servers, not to mention using it as a cloaking device to avoid detection by security solutions. The spear-phishing attacks, which began in October 2021, have predominantly targeted companies in the United States, Canada, Italy, and Singapore. Recently collaboration and communications applications such as Discord, Telegram, and Slack have been found to have a place in the infection chain used to extract data from the compromised system. Nick Biasini, head of outreach at Cisco Talos, says, "From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack." "Malicious actors are opportunistic," Biasini explained, "and will always be seeking new and innovative ways to both host malware and infect victims." "This pattern includes the exploitation of platforms like Slack and Discord, as well as the related cloud abuse. We frequently see hijacked websites being used to host malware and other infrastructure, demonstrating that these adversaries will use any ways to obtain access to their victims

Abridged fromThe Hacker News