A threat actor — likely a state-sponsored cyberespionage group — has used a sophisticated technique to allow a piece of malware hosted on a server to communicate with command and control (C2) servers through a firewall.
The attack was spotted by Sophos, which has named the method used by the hackers “Cloud Snooper.” The company came across the attack while investigating a malware infection on an AWS-hosted server, but says the attack may work against any server that is behind a firewall, including on-premises servers.
In the attack analyzed by Sophos, the compromised systems were running both Windows and Linux EC2 instances. While the AWS security groups were configured to only allow inbound HTTP or HTTPS traffic to reach the server, a hacked Linux system was also accepting connections on TCP ports 2080 and 2053, which the attackers opened.
It’s unclear exactly how the attackers planted the malware, but researchers believe they may have accessed the server through a dictionary attack on an exposed SSH port.
The hackers deployed a rootkit that in turn installed a backdoor Trojan. The backdoor, which the attackers could have used to steal sensitive data from the targeted entity, communicated with the C&C server through the rootkit.
Researchers identified backdoors on one Windows system and multiple Linux hosts. An analysis showed that the Windows backdoor was based on the Gh0stRAT malware.
In order to bypass the server’s firewall, the attackers disguised C2 traffic as legitimate traffic. This ensures that the firewall does not block traffic that contains instructions for the malware or traffic that contains data sent back to the ..