Abusing third-party cloud services in targeted attacks

Presented at VB2019, Oct. 2, 2019, 4:30 p.m. (30 minutes)

The infrastructure of malware is important for both attackers and defenders. A typical piece of malware needs to reach an attacker-operated server to get its commands and send the results back. Yet, on the attacker's side, designing, implementing and maintaining a C&C infrastructure is time- and resource-consuming as well as error-prone. On the defender's side, analysing the infrastructure of a threat actor is useful in building patterns for detection, tracking an actor's activity, gathering more intelligence about it and correlating it to known groups. Threat actors performing targeted attacks have high stealth requirements, and we have seen attacks that shifted to cloud services for this reason. This seems to be a smart move, as the infrastructure is maintained by a third party and the malicious traffic is mixed with legitimate traffic. However, such a choice has drawbacks for the attacker. In this presentation we will show examples of targeted attacks involving threat actors from different parts of the world, for example Muddywater or Confucius, that moved part of their infrastructure to well-known third-party cloud services: file-sharing services (e.g. *Dropbox*, *Google* *Drive*), communication and collaboration services (e.g. *Slack*, *Telegram*), version control services (e.g. *GitHub*) or publishing platforms (e.g. *Blogger*). We will detail different implementations and how we managed to use them to our advantage to find out more about the attackers and their campaigns. ### Related links * [New SLUB Backdoor Uses GitHub, Communicates via Slack](https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/) (*Trend Micro*)

Presenters:

• Jaromir Horejsi - Trend Micro
  Jaromir Horejsi Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking trojans, click fraud and ransomware. In the past he has presented his research at RSAC, Virus Bulletin, FIRST, AVAR, Botconf and CARO. @JaromirHorejsi
• Daniel Lunghi - Trend Micro
  Daniel Lunghi Daniel Lunghi is a threat researcher at Trend Micro. He has been monitoring threat actors, hunting malware and performing incident response investigation for years, sometimes in IT infrastructures involving thousands of hosts. When not on the trail of online attackers, Daniel still spends time in front of a keyboard - on a piano. @thehellu

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/abusing-third-party-cloud-services-targeted-attacks
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf

Similar Presentations:

• Black Hat Europe 2021 / TeamTNT: Explosive Cryptomining
• VB2015 / C&C-as-a-Service: abusing third-party web services as C&C channels
• TROOPERS16 (2016) / Let's Play Hide and Seek In the Cloud - The APT Malware Favored in Cloud Services