Now, Microsoft Azure is a sweet spot for hackers to host powerful malware and also to send and receive a command to affected systems as command and control servers.
Microsoft Azure is a Microsoft-created cloud computing platform for building, testing, deploying and managing applications and services via Microsoft-controlled data centers.
Initially, it was uncovered and reported through Twitter by @JayTHL & @malwrhunterteam to show evidence of malicious software being hosted in Microsoft Azure.
interesting MS-hosted mal f/b @malwrhunterteam
systemservicex.azurewebsites[.]net/Files/prenter.exe
>
systemservicex.azurewebsites[.]net/data.asmx
in a SOAP-format set of messages.
u/a Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485)@JAMESWT_MHT pic.twitter.com/rV0wzpulgW— JTHL (@JayTHL) 11 May 2019
The researcher has already reported to Microsoft this malicious operation. However, the Azure website still had the original malware (plus additional samples uploaded since) from May 29, 2019–17 days later, Appriver reported.
This is evidence that Azure did not detect the malware on the Microsoft server, but the defender in Windows detects the malicious files when users are trying to download from the malware server.
The Windows defender detected the malware as Trojan: Win32/Occamy. C and initially uploaded the first sample to VirusTotal (Searchfile.exe) on April 26, 2019, and then submitted another sample (printer / prenter.exe) on April 30, but also remained undetected on the Azure servers.
According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.
According to the analytics report, attackers have uncompiled the malware with the portable executable c#.net file.
Attackers use an uncompiled file cleverly, to evade the security gateway and endpoint detection by examining the downloaded binaries thoroughly.
“If running, this malicious agent will generate XML SOAP check-in and receive commands from the malicious actors on: systemservicex[.]azureweb sites[.]net / data[.]asmx”
This is not the first time Azure malware operator has abused it but we have already reported that Microsoft Azure Blog Hosts are abused by attackers and also tried to steal the login credentials.
Leave a Reply