By stealing API keys and secrets, attackers can access the victim's cloud resources, such as virtual machines, databases, storage buckets, and containers. It poses a serious threat to organizations using cloud services. A C2 server can instruct malware to download and execute additional payloads, such as ransomware, data exfiltration tools, or lateral movement tools.
A custom protocol is also used to communicate with its command and control server (C2), making it more difficult to identify and block. The malware is designed to avoid detection by combining obfuscation, encryption, and anti-analysis techniques. The AlienFox "toolset" is being distributed on Telegram as a way for threat actors to harvest credentials from popular cloud service providers. This information is then encrypted and sent to a remote server controlled by the attackers.
Once executed, the malware scans the victim's system to detect files and registry entries containing credentials for cloud services. Using a sophisticated technique, a new malware campaign has been discovered that steals API keys and secrets from cloud services like AWS, Google Cloud Platform, and Microsoft Azure. Malware called AlienFox is delivered through phishing emails that contain malicious attachments or links to compromised websites.
0 kommentar(er)
