By investigating malware infections of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, researchers found a sophisticated attack dubbed Cloud Snooper. The attack employs a unique combination of technologies to evade detection and allows the malware to command and control (C2) servers through a firewall. Nevertheless, the firewall should prevent this communication from reaching the infected server under normal circumstances.
Researchers pointed out that an attacker can also use a specially crafted request to download a backdoor Trojan to intercept inbound traffic to the target server, and steals sensitive data from the target through the backdoor. The complexity of the attack and the use of a customized Advanced Persistent Threat (APT) toolset indicated that the malware and its operators are advanced threat actors and maybe state-sponsored.
The Tactics, Techniques, and Procedures (TTP) used in the attack include:
- A rootkit to circumvent firewalls and to inspect network;
- A rare technique to gain access to servers disguised as normal traffic;
- A backdoor payload that shares malicious code between both Windows and Linux operating systems.
Despite proper adjustments to the AWS Security Group (SG) (set to only allow inbound HTTP or HTTPS traffic), the infected Linux system is still listening for inbound connections on ports 2080/TCP and 2053/TCP. Analysis of the system disclosed the existence of a rootkit, which enables malware operators to remotely control servers through AWS SGs. However, the functionality of this rootkit is not limited to doing it in the Amazon cloud. In addition, it can also be used to communicate with and remotely control malware on any server (even on-premises) behind any perimeter firewall. Eventually, the backdoor is found based on the source code of the Gh0st RAT malware.
An application is as secure as its weakest link in code, that’s why starting early and removing code errors before they turn into security risks will be rewarded by lower software maintenance costs. LIFARS’ Secure Code Review service can secure the code and bring the most security benefits compared to other activities.
Contact LIFARS Immediately for