Typosquatting for cloud-native espionage: The campaign relies heavily on deception, the researchers pointed out, using C2 domains closely resembling legitimate Alibaba Cloud services. The typosquatting approach allows malicious traffic to blend into routine cloud operations, specifically in environments where outbound filtering is absent.The implant used is an obfuscated ELF binary, with an executable designed for gaining and maintaining access within Linux cloud instances. The researchers said that the binary was not detected at all on ViruTotal at the time of analysis, supporting their “zero-detection” claims.The malware also does not respond to unintentional probes, with the C2 infrastructure remaining silent unless a correct (malicious) handshake is established. This throws off automated scanning and sandboxing.Additionally, communication over SMTP (port 25) adds a layer of stealth. While conventional C2 traffic sticks to HTTP/S, SMTP is used here to blend into legacy or misconfigured environments where Port 25 traffic is expected. “Many cloud security tools do not deeply inspect SMTP traffic for C2 patterns,” the researchers noted. “Egress filtering on port 25 is inconsistent across cloud providers.”
Indicators and detection: Despite the use of stealth, the researchers were able to connect the dots with the help of independent research by @Xlab_qax, who attributed the campaign and its lineage to APT41 with high confidence. Indicators shared by the researchers include files and network signatures (domain and ports). They also included a list of MITRE ATT&CK tactics for a broader understanding of the years-long campaign. Breakglass disclosure pointed to a behavior-driven detection approach across layers. On the network side, defenders should look for unusual outbound SMTP traffic, connections to Alibaba Cloud-lookalike domains, and periodic UDP broadcasts to 255.255.255.255:6006. On the host, they should watch for obfuscated or unknown ELF binaries and unexpected process access to instance metadata endpoints.And finally, in the cloud, monitoring metadata service queries and anomalous use of role-based credentials, particularly where activity deviates from the instance’s normal behavior, can help, the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4158396/china-linked-cloud-credential-heist-runs-on-typos-and-smtp.html
