Hackers abuse Microsoft Azure to use malware and evasion technology on C2 servers

Microsoft createdcloudcomputingplatform

Now, Microsoft Azure is a sweet spot for hackers to host powerful malware and also to send and receive a command to affected systems as command and control servers.

Microsoft Azure is a Microsoft-created cloud computing platform for building, testing, deploying and managing applications and services via Microsoft-controlled data centers.

Initially, it was uncovered and reported through Twitter by @JayTHL & @malwrhunterteam to show evidence of malicious software being hosted in Microsoft Azure.

The researcher has already reported to Microsoft this malicious operation. However, the Azure website still had the original malware (plus additional samples uploaded since) from May 29, 2019–17 days later, Appriver reported.

This is evidence that Azure did not detect the malware on the Microsoft server, but the defender in Windows detects the malicious files when users are trying to download from the malware server.

The Windows defender detected the malware as Trojan: Win32/Occamy. C and initially uploaded the first sample to VirusTotal (Searchfile.exe) on April 26, 2019, and then submitted another sample (printer / prenter.exe) on April 30, but also remained undetected on the Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.

According to the analytics report, attackers have uncompiled the malware with the portable executable c#.net file.

ida_ghidra img

Attackers use an uncompiled file cleverly, to evade the security gateway and endpoint detection by examining the downloaded binaries thoroughly.

“If running, this malicious agent will generate XML SOAP check-in and receive commands from the malicious actors on: systemservicex[.]azureweb sites[.]net / data[.]asmx”

This is not the first time Azure malware operator has abused it but we have already reported that Microsoft Azure Blog Hosts are abused by attackers and also tried to steal the login credentials.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.