Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
1 min read
Summary
Researchers have discovered a new cluster of activity, tracked as CL-STA-1020, targeting government entities in Southeast Asia, which uses a previously undocumented Windows backdoor called HazyBeacon.
The threat actors behind this campaign have been collecting sensitive government data, including information about trade disputes.
The actors used AWS Lambda URLs as command and control, which creates a reliable, scalable and difficult-to-detect communication channel, thus enabling the threat actors to hide in plain sight.
The attackers used DLL sideloading and created a Windows service named msdnetsvc, to ensure that the HazyBeacon DLL would be loaded even after rebooting.
The attack flow began with the execution of a file collector, followed by the use of file uploaders to legitimate cloud storage services, including Google Drive and Dropbox, to blend with normal network traffic.
The attack highlighted attackers’ continued abuse of legitimate cloud services, and security teams should develop detection strategies to identify suspicious patterns of communication.
