New Remote Access Trojan Targeting AWS & Azure Cloud Services Discovered

Cisco Talos has today released new research showing a new RAT (Remote Access Trojan) campaign is abusing AWS and Azure cloud services since October 2021, spreading a trio of RAT payloads with the aim of stealing data from infected machines. In response to these findings, an expert with Gurucul has offered perspective. 

Saryu Nayyar, CEO and Founder, Gurucul offers this comment:

“The new RAT variant is a perfect example of why it is important to have a cloud-native and multi-cloud next generation threat detection solution like a next generation SIEM. Even more important is that non rule-based true machine learning capabilities are critical to detect emerging variants out of the box. Risk-based user behavioral detection and analytics are a requirement to help security teams pinpoint the unusual commands being executed, unexpected external communications and data leakage of credentials or financial information. As we’ve seen in many cases, integrated and automated response capabilities, when targeted and low-risk, can accelerate remediation in time to prevent theft.” 

This is clearly one of those cases where detection and prevention is the way to avoid being a victim of this RAT campaign. Hopefully those who rely on AWS and Azure workloads have the means to protect themselves.

UPDATE: I have this commentary from Stephanie Simpson who is the VP Product Management at SCYTHE

“Attacks against Remote Administration Tools RATs are nothing new. We’ve already seen them for technologies like NetWire and being used by cybercriminals like SlotfhfulMedia malware.  This is another case of threat actors changing their tactics, techniques, and practices (TTPs), adjusting to new environments. When testing security controls, organizations need to start thinking about the different ways that malicious actors are changing known TTPs to find new ways to attack systems.”

UPDATE #2: Chris Olson, CEO at The Media Trust had this to say:

“Today, most organizations are employing advanced SPAM filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from executing. But as we’ve seen many times before, cyber actors adapt to obstacles by changing their tactics – in this case, by deploying obfuscated code to escape detection, and dynamic DNS to prevent blocking.”

“But cloud-based attackers are little late to the game here, as we’ve seen both these tactics used for years in AdTech and web-based attacks. Consequently, we have warned our clients not to depend on simple ad blockers – equivalent to antivirus – or domain lists, which are rarely updated quickly enough to reflect the way cyber actors jump between different domain and ad partners.”

“In the future, we can expect cyberattacks to become more anonymized, dynamic, and harder to detect through automated methods. Organizations must work to better understand the code that is executing throughout their digital environment by continually monitoring activity and carefully vetting their IT partners.”

Leave a Reply

%d bloggers like this: