Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. From phishing templates to malware and command and control services, it seems that crooks found a new place for them.

Just this month, BleepingComputer reported on two incidents related to malware on Azure. In one case there were about 200 websites showing tech-support scams that were hosted on the platform.

Another article, published this week, informs of Azure being used to host a phishing template for Office 365. Being both products from Microsoft, the scam appears as a legitimate login request, increasing the success rate.

It appears that these are not isolated incidents. Security researchers JayTHL and MalwareHunterTeam found malware on Azure and reported it to Microsoft on May 12.

According to AppRiver cybersecurity company, the reported piece of malware along with other samples that were uploaded at a later time were still present on Microsoft’s Azure infrastructure on May 29.

“It's evident that Azure is not currently detecting the malicious software residing on Microsoft's servers,” says David Pickett of AppRiver.

One of the samples, ‘searchfile.exe,’ was indexed by VirusTotal scanning service on April 26, and Windows Defender detects it.

The same goes for the malware found by the two researchers, ‘printer/prenter.exe,’ which is an uncompiled portable executable file, specifically so to avoid gateway and endpoint security solutions detecting it upon download.

However, Windows Defender will kick in and block the malicious file when users try to download them on the machine.

Pickett says that when executing ‘printer.exe’ the command line is  invoked to run C# compiler and thus activate the payload.

“Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx,” the researcher explains.

JayTHL details that the sample appears to be a simple agent that runs any command it receives from the command and control server. He determined that there could be as many as 90 bots under control, if their ID numbers were generated in a sequential order.

Microsoft Azure would not be the first big-name platform abused to store malicious content; Google Drive, Dropbox, and Amazon’s web services are just some examples. Typically, cybercriminals compromise legitimate websites and use them to host malicious content, but they will not shy away from grabbing any opportunity to do their business, especially if little risk and effort are on the table.

Update [05.06.2019]: Security researcher MalwareHunterTeam told BleepingComputer that the number of tech-support sites hosted on Azure grew from 200 to approximately 600 and anyone monitoring them will likely count close to 1000, if not more.

This situation has been going for months, with lawyers, government officials, CEOs, and accountants being served phishing templates hosted on Microsoft infrastructure.

The researcher put together a threat with numerous examples where key people in various organizations fell into the phishing trap concocted by Nigerian threat actors. In one case observed on June 1, someone from the U.S. Department of Homeland Security repeatedly attempted to log into a phishing page using two different passwords.

 

Related Articles:

Microsoft disrupts ONNX phishing-as-a-service infrastructure

Phishing emails increasingly use SVG attachments to evade detection

Microsoft creates fake Azure tenants to pull phishers into honeypots

Bumblebee malware returns after recent law enforcement disruption

ESET partner breached to send data wipers to Israeli orgs