Author Topic: Microsoft Azure Being Used to Host Malware and C2 Servers  (Read 421 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Microsoft Azure Being Used to Host Malware and C2 Servers
« on: June 02, 2019, 02:23:06 AM »


Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. From phishing templates to malware and command and control services, it seems that crooks found a new place for them.

Just this month, BleepingComputer reported on two incidents related to malware on Azure. In one case there were about 200 websites showing tech-support scams that were hosted on the platform.

Another article, published this week, informs of Azure being used to host a phishing template for Office 365. Being both products from Microsoft, the scam appears as a legitimate login request, increasing the success rate.

It appears that these are not isolated incidents. Security researchers JayTHL and MalwareHunterTeam found malware on Azure and reported it to Microsoft on May 12.




According to AppRiver cybersecurity company, the reported piece of malware along with other samples that were uploaded at a later time was still present on Microsoft’s Azure infrastructure on May 29.

“It's evident that Azure is not currently detecting the malicious software residing on Microsoft's servers,” says David Pickett of AppRiver.

One of the samples, ‘searchfile.exe,’ was indexed by VirusTotal scanning service on April 26, and Windows Defender detects it.

The same goes for the malware found by the two researchers, ‘printer/prenter.exe,’ which is an uncompiled portable executable file, specifically so to avoid gateway and endpoint security solutions detecting it upon download.



However, Windows Defender will kick in and block the malicious file when users try to download them on the machine.

Pickett says that when executing ‘printer.exe’ the command line is invoked to run C# compiler and thus activate the payload.

“Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx,” the researcher explains.



JayTHL details that the sample appears to be a simple agent that runs any command it receives from the command and control server. He determined that there could be as many as 90 bots under control if their ID numbers were generated in sequential order.

Microsoft Azure would not be the first big-name platform abused to store malicious content; Google Drive, Dropbox, and Amazon’s web services are just some examples. Typically, cybercriminals compromise legitimate websites and use them to host malicious content, but they will not shy away from grabbing any opportunity to do their business, especially if little risk and effort are on the table.

source