Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. The actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts. Executive Summary

Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure. These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the

Read More: