Amazon, Azure Clouds Host RAT-ty Trio in Infostealing Campaign

A cloudy campaign delivers commodity remote-access trojans to steal information and execute code.

Cyberattackers are abusing Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), researchers warned – all aimed at hoovering up sensitive information from target users.

According to an analysis from Cisco Talos, threat actors have been pushing out variants of the malware known as AsyncRAT, Netwire and Nanocore since October, mainly to targets in Italy, Singapore and the United States. A few of the targets have been in South Korea and Spain as well, according to the firm.

As in many campaigns, the attacks start with a phishing email containing a malicious .ZIP attachment, researchers said. But the attackers have a cloud-based trick up their sleeve.

“These .ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script,” Talos researchers explained on Wednesday. “When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.”

Clouding the (Malicious)

Read More: