Level: Technical


The presentation deals with abusing third-party cloud services in targeted attacks. Through multiple APT cases from all around the world, we will show which cloud services were abused, why and how. For each case, we will discuss the advantages and disadvantages of such abuse for malware developers, organization defenders and threat researchers. Both Windows and Android malware cases will be included.

Full description:

In order to achieve their espionage goals, threat actors need a mechanism to exfiltrate data from their targets. Malware developers have a multitude of choices to achieve this task, among which are the design and implementation of a custom communication protocol, and the use of an existing protocol offered by different cloud services.

In this presentation, we will first discuss the benefits and limitations of implementing a custom communication protocol. Then, we will explore cases where the attackers abused third-party cloud services in selected targeted attacks. These cases will include noteworthy targeted threat actors from all over the world, including among others Patchwork (South Asia), Confucius (South Asia), MuddyWater (Middle East), SLUB (Korea), and APT-C-36 (Latin America). In these examples, we will show which cloud services were abused and how exactly it happened. We will mention the additional difficulties these cases brought for the defenders to detect and block these attacks on the network level.

As we will see, the campaigns involved not only Windows operating system but also Android mobile platform. Fortunately, cloud services also open new opportunities for threat researchers that did not exist in traditional C2 communication protocols. We will discuss some of these advantages in the selected examples of targeted attacks that we analyzed.


Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.

Comments are closed.