Skip to main content

Threat actors use the power of Microsoft Azure and AWS to spread RATs

Azure Data Center
Azure Data Center (Image credit: Microsoft)

What you need to know

  • Cisco Talos has released a report analyzing a campaign utilizing popular cloud services to spread malicious software.
  • Amazon Web Services (AWS) and Microsoft Azure have been used in the threat actors' activities.
  • Cisco Talos' advice is that organizations need to inspect connections to cloud services since that traffic could contain harmful content.

Everyone's learning how to tap into the power of the cloud, including malicious individuals looking to spread malware to unsuspecting parties. Take, for example, the recent campaign identified by Cisco Talos wherein threat actors have been distributing Netwire, Nanocore, and AsyncRATs by utilizing AWS and Microsoft Azure.

The idea behind malicious parties using major cloud services is that it saves them time, money, and effort when it comes to setting up attack infrastructure. There's also the added benefit of the cloud making their actions harder to trace and track.

As for why one should be afraid of RATs scurrying through the cloud and landing inside their environment: RAT stands for "Remote Administration Tool." Once it gets in, it can execute commands you never consented to and siphon sensitive information.

Talos Rat Threat Graph

Source: Cisco Talos (Image credit: Source: Cisco Talos)

For the specific campaign Cisco Talos analyzed, the RAT threat starts as many do: With a phishing email packing a nasty attachment. Once that attachment's loader starts running its script, it links up with a server, the likes of which may be hosted via AWS or Azure.

You can read the full report over at the Talos Intelligence blog, should you want to learn the in-depth technical details of the danger. If you're not interested in that, then it's important to, at the very least, digest the main takeaway of the report: "Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic," Talos Cisco warns. "The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure."

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

3 Comments
  • “Threat Actors”? So these people are just pretending to be bad? 🙄 Just say “Criminals”. Stop sugar coating this.
  • It's the official term. If you don't like it, take it up with the tech security industry
  • No. The official term is criminals. The Politically Correct term is theat actors. If you don’t like it, take it up with the police. The “tech security industry” does not get to redefine criminal acts. It’s the same as saying “undocumented immigrants” instead of illegal aliens. Illegal aliens is the correct term. Undocumented immigrants is the PC term. Heaven forbid we offend criminals. 🙄 If I go into a bank with a gun and demand money, did I rob the bank (a criminal act)? Or did I just make an “undocumented withdrawal” (PC term)? 🙄 What if someone breaks into your house, robs you and kills your wife? Is that a “threat actor”? Or is that a criminal?