Monday, November 11, 2024
HomeCloudHackers Abusing Microsoft Azure to Deploy Malware and C2 Servers Using Evasion...

Hackers Abusing Microsoft Azure to Deploy Malware and C2 Servers Using Evasion Technique

Published on

Malware protection

Now Microsoft Azure becomes a sweet spot for hackers to host powerful malware and also as a command and control server for sending and receiving commands to compromised systems.

Microsoft Azure is a cloud computing platform created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Initially, this malicious operation was uncovered and reported by @JayTHL & @malwrhunterteam via Twitter in which they provide the evidence that there is a malicious software being hosted in Microsoft Azure.

- Advertisement - SIEM as a Service
https://twitter.com/JayTHL/status/1127334608142503936

Researcher’s already reported this malicious operation to Microsoft. however, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.

This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.

Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now. 

Based on the analysis report using the printer.exe file, attackers uncompiled this malware with the c# .net portable executable file.

Attackers cleverly using an uncompiled file as an attempt to evade the gateway and endpoint security detection by thoroughly examining the downloaded binaries.

” Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx”

This is not a first-time malware operator abusing Azure, but already we reported that attackers abuse Microsoft Azure Blog Hosting and it also attempted to steal the login credentials.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Also Read:

Microsoft ‘s New Tamper Protection in Defender ATP Lets block never-before seen Malware within Seconds

Hackers Bypass Multi-factor Authentication to Hack Office 365 & G Suite Cloud Accounts Using IMAP Protocol

Most Important Key Factors Organizations Should Consider in Implementing the Cloud Security Solutions

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...