Hackers use Microsoft Azure to host malware and run C2 servers

News by Rene Millman

The malicious software on Azure was reported to Microsoft on 12 May. However, the original malware remains on the Azure site as of 29 May

Hackers are abusing Microsoft’s Azure cloud service to not only host malware, but also run command and control infrastructure for malicious files.

According to a blog post by security researchers at AppRiver, the latest piece of malware to be detected on the cloud was still present on Microsoft’s infrastructure at the end of May, over two weeks after it was reported.

"On 11 May, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on 12 May for abuse via ticket #SIR0552640.  However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of 29 May, 2019 - 17 days later," said David Pickett, a security analyst at AppRiver.

He said that it is evident that Azure is not currently detecting the malicious software residing on Microsoft's servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files, he added.

The malware, dubbed serachfile.exe, is detected by  Windows Defender as Trojan:Win32/Occamy.C. Another sample, called printer.exe, is a simple uncompiled c# .net portable executable file and is "evasion attempt for avoiding gateway and endpoint security solutions that heavily scrutinise downloaded binaries".

Pickett said that  when executing ‘printer.exe’, the command line is  invoked to run C# compiler and thus activate the payload.

"Once running, this malicious agent generates XML SOAP requests every two minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx," he added.

Roy Rashti, cyber-security expert at BitDam, told SC Media UK that cloud providers own their servers, meaning they have full access to the data.

"However, they're in a tough spot because nobody wants them to scan the traffic or files they pay to host but doing so is probably the most effective way to protect against malware," he said.

Many attackers can be very quickly blocked by companies blacklisting their servers. However, when operating under a cloud service domain such as Amazon, Google, Microsoft or any other, the domain is hosted by those companies and should not be blacklisted. Mitigating the threat along with its various forms and variants is a fight harder to win."

Chris Miller, regional director, UK & Ireland at RSA Security, told SC Media UK that the first challenge in combating cloud-based malware – as with any digital risk – is ensuring visibility of the threat.

"This is why businesses have to take a business-driven approach to managing digital risk, which involves breaking down the siloes between IT, security and risk teams. Cloud risk can be particularly difficult to manage because these services are often accessed outside the purview of security, through what has become known as ‘shadow IT’," he said.

"Ensuring IT and security teams have visibility of all services that are being used, and crucially what they are being used for – for instance, are they being used to host or process any customer details? If a third party cloud provider is breached or exposes you to malware, then it is still you that is responsible for your customer’s data; there’s no passing the buck."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews