Everything is migrating to the cloud, including threat actors. Now it seems a trio of remote access Trojans (RATs)—Nanocore, Netwire and AsyncRAT—are being spread in a campaign that taps public cloud infrastructure and is primarily aimed at victims in the U.S., Italy and Singapore.
By using complex obfuscation techniques in the downloader script, the attackers ensure that “each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method,” according to Cisco Talos researchers who discovered the malicious campaign.
“Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure,” the researchers wrote. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations.”