Threat actors abuse Microsoft Azure to Host Malware and C2 Servers

Microsoft Azure cloud services are being abused by threat actors to host malware and as command and control (C&C) servers.

Threat actors look with great interest at cloud services that could be abused for several malicious purposes, like storing malware or implementing command and control servers.

Now it seems to be the Microsoft Azure’s turn, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

Security researchers already spotted some malware hosted on the Microsoft Azure platform.

Researchers at AppRiver observed attackers deploying malware on the Microsoft Azure platform, the bad news is that those malicious codes were not removed after some weeks, on May 29.

“Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files” reads the analysis published by AppRiver.

“On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640.  However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later.”

Experts pointed out that Azure is failing to detect the malware hosted on Microsoft’s servers.

“No service is infallible to being attacked or exploited. It’s evident that Azure is not currently detecting the malicious software residing on Microsoft’s servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.”

In one case, a sample named searchfile.exe was uploaded to VirusTotal on April 26, 2019. Even is Windows Defender detects the malware its presence on Azure is not currently blocked. Unfortunately, experts reported many other similar cases.

Experts believe that this trend will continue to grow, threat actors will not only abuse Microsoft Azure, but other cloud services (i.e. Google Drive, Dropbox, and Amazon) will be exploited by attackers to avoid detection.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Microsoft Azure, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]