A new phishing campaign was uncovered in which attackers store malware on public services such as Amazon Web Services and GitHub and then use email to launch an attack campaign and gain control of the newly infected systems.
FortiGuard Labs said the email lures victims into loading-up a malicious, high-severity Java downloader that aims to spread a new VCURMS remote access trojan (RAT) and a well-known STRRAT RAT. All platforms with Java installed are vulnerable and it can hit any type of organization.
The researchers explained in a March 12 blog post that the phishing email targets staff members at organizations, implying that a payment is underway and encourages them to click a button to verify payment details. Once the victim clicks, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.
Even though the VCURMS RAT primarily handles command and control (C2) communication, it also includes a modified version of a Rude Stealer and a keylogger in its second phase that gathers sensitive data from the victim. The researchers discovered that the threat actor uses multiple obfuscation techniques to avoid detection and then leverages email to communicate with the C2 server.
AWS has become a popular choice for malicious actors to host malware because it’s easy to use and the protections attackers receive until they are discovered and reported, explained Adam Neel, threat detection engineer at Critical Start. Neel said attackers also use GitHub to host malware for similar reasons. These services let attackers avoid detection by waiting until they already have a foothold on a system to deploy their malware and tools; scripts are commonly used to pull their tools from these cloud services.
“Interestingly, one of the RATs installed during this attack (Windows.JAR) sets up its C2 through email,” said Neel. “This tactic is not commonly seen. Once ready, attackers are able to send emails that are parsed by the malware and turned into various commands. Even though this attack utilizes some uncommon techniques for obfuscation and defense evasion, it’s important to note that users will remain safe as long as they do not download and execute the attachment in the phishing email.”
Claude Mandy, chief evangelist, data security at Symmetry Systems, added that cybercriminals have been using commercial infrastructure and capabilities for many years to “live-off-the-land.” This approach lets attackers successfully circumvent signature and reputation-based security tools and leverage “trusted” services to deliver payloads, said Mandy.
“The challenge for organizations that use AWS and other cloud services is that they often don’t know what account or services they own or use themselves in the cloud, and simply see this as another unknown, but implicitly trusted account within AWS,” explained Mandy. “Until orgs can get visibility and knowledge of their own usage, they will need to continue to verify their protections accurately to identify these new variants.”