New Cyberattack Campaign Uses Public Cloud Infrastructure to Spread RATs

An attack campaign detected in October delivers variants of Nanocore, Netwire, and AsyncRATs to target user data.

A recently discovered attack campaign uses public cloud infrastructure to deliver variants of commodity RATs Nanocore, Netwire, and AsyncRATs to target users data, researchers report.
This campaign, detected in October, underscores how attackers are increasing their use of cloud technologies to achieve their goals without having to host their own infrastructure, report the Cisco Talos researchers who observed it. Its the latest example of adversaries using cloud services, such as Microsoft Azure and Amazon Web Services, to launch their attacks.
These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments, researchers wrote in a
blog post
. The strategy has another benefit, they added: It also makes it more difficult for defenders to track down the attackers operations.
Most victims in this case are in the United States, Italy, and Singapore, Cisco Secure product telemetry indicates. The remote administration tools (RATs) theyre targeted with are built with multiple features to take control of an environment, remotely execute commands, and steal the targets information.
An attack starts with a phishing email that contains a malicious ZIP attachment. The ZIP file is an ISO image containing the loader in JavaScript, Visual Basic script, or Windows batch file format. The attackers have attempted to trick recipients by disguising the email as a fake invoice file.
The unknown attackers behind this campaign use four levels of obfuscation for the downloader. Each stage of the deobfuscation process leads to decryption methods for the following stages, which ultimately lead to the download of the final payload. When the initial script is executed on a target machine, it connects to a download server that downloads the next stage, which can be hosted on an Azure-based Windows server or an AWS EC2 instance, researchers said.
To deliver the malware, the attackers registered multiple malicious subdomains using DuckDNS, a free dynamic DNS service that allows a user to create subdomains and maintain the records using the DuckDNS scripts. Some of the malicious subdomains resolve to the download server on Azure Cloud; others resolve to the servers operated as command-and-control (C2) for RATs.
Its just a great example of the challenges enterprises face: malicious email, using an obscure attachment and multiple layers of obfuscation to deliver some sort of remote access capability, says Nick Biasini, head of outreach at Talos. This is what enterprises are facing today, and this is an example of many of the techniques we commonly observed in one single campaign.
The payloads seen in this attack are commodity RATs commonly used in other campaigns. One of these is Nanocore, an executable first spotted in the wild in 2013. Another is NetwireRAT, a known threat that is used to steal passwords, login credentials, and credit card data. It is able to remotely execute commands and collect file system information.
AsyncRAT, the third payload, is designed to remotely monitor and control target machines via encrypted connections. In this campaign, attackers use the AsyncRAT client by configuring it to connect to the C2 server and give them remote access to a victims device. They can then steal data using some of its features, which include a keylogger, screen recorded, and system configuration manager.
Biasini says a victim will typically receive a single payload; however, Talos researchers have seen cases in which multiple RATs or other payloads are dropped onto a target system.
A Stronger Focus on Cloud
Researchers often see attackers abuse public cloud infrastructure, Biasini says. Part of the reason is attackers are opportunistic — theyll use any platform that can to help them achieve their goals. Azure and AWS are both major cloud platforms, so its unsurprising that attackers would look to these, as well as a variety of other cloud providers, to use in their campaigns.
The growth in their use of public cloud also points to another trend of access being a primary goal, he adds.
Ransomware cartels and associated affiliates are making huge sums of money ransoming their victims, [and] this type of remote access can and is sold to these groups, Biasini explains. Not all malicious actors want to operate in that space, but with the money to be made, its financially advantageous to just sell the initial access to one of these groups.
Attackers arent only abusing cloud infrastructure. New research shows two-thirds of all malware spread to enterprise networks last year
originated in cloud apps
, including Google Drive and OneDrive. Todays organizations are more likely to be hit with malware downloads from cloud applications than from any other source — a shift experts attribute to the convenience and cost that benefit attackers.
Cisco Talos researchers advised organizations to inspect their outgoing connections to cloud services for malicious traffic. Defenders should also monitor traffic to their business and implement rules around the script execution policies for their endpoints, they noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Cyberattack Campaign Uses Public Cloud Infrastructure to Spread RATs