Security researchers at FortiGuard Labs have uncovered a new phishing campaign in which attackers are leveraging public services such as Amazon Web Services (AWS) and GitHub to host malware and launch remote access trojans (RATs) on infected systems.

The Attack Vector: Phishing Emails with Malicious Java Downloader

The campaign begins with a phishing email that lures victims into loading a malicious, high-severity Java downloader. The email implies that a payment is underway and encourages the recipient to click a button to verify payment details. Once the victim clicks, a harmful JAR file hosted on AWS is downloaded to their computer.

This Java downloader is capable of infecting any platform with Java installed, making it a significant threat to organizations across various industries.

The Payloads: VCURMS RAT, STRRAT RAT, and Data Stealers

Upon successful infection, the Java downloader deploys two remote access trojans (RATs) on the victim's system:

1. VCURMS RAT: While primarily handling command and control (C2) communication, this RAT also includes a modified version of a Rude Stealer and a keylogger in its second phase, designed to gather sensitive data from the victim.

2. STRRAT RAT: A well-known RAT that gives attackers remote control over the infected system.

The researchers noted that the threat actor employs multiple obfuscation techniques to evade detection and then leverages email to communicate with the C2 server.

The Cloud Hosting Strategy: AWS and GitHub

Hosting malware on public services like AWS and GitHub has become a popular tactic for threat actors, as it provides an easy-to-use platform and offers protection until the malicious activity is detected and reported.

According to Adam Neel, a threat detection engineer at Critical Start, these cloud services allow attackers to avoid detection by waiting until they have already gained a foothold on a system before deploying their malware and tools. Scripts are commonly used to pull these tools from the cloud services.

The Email-Based C2 Communication

One noteworthy aspect of this campaign is that the VCURMS RAT sets up its command and control (C2) communication through email, a tactic not commonly seen. Once ready, attackers can send emails that are parsed by the malware and turned into various commands.

Protecting Your Organization

While this attack employs some uncommon techniques for obfuscation and defense evasion, users can remain safe by exercising caution and not downloading or executing untrusted attachments from phishing emails.

Organizations should also strive to gain visibility and knowledge of their cloud service usage to accurately identify and protect against these new variants, as suggested by Claude Mandy, chief evangelist, data security at Symmetry Systems.

By staying vigilant, implementing robust security measures, and educating employees on phishing threats, organizations can better protect themselves against this evolving campaign and other similar attacks leveraging cloud services and remote access trojans.