Researchers at SophosLabs came across a sophisticated attack that uses a unique combination of techniques to evade detection and that allows the malware to communicate with its command and control (C2) servers through a firewall. Dubbed “Cloud Snooper”, the attack has been discovered during investigation of a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud and appears to be the work of a nation-state sponsored threat actor.

“Though we discovered the technique in use on AWS, the problem is not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic, such as normal web traffic, in a way that can bypass many, if not most, firewalls,” Sophos said.

In the observed attack, the compromised systems were running both Linux and Windows EC2 instances. While the AWS security groups were configured to only allow inbound HTTP or HTTPS traffic, the hacked Linux system was still listening for inbound connections on ports 2080/TCP and 2053/TCP.

Further analysis revealed the compromised system was infected with a rootkit that allowed its operators to remotely control the server through the AWS SGs, as well as communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. The researchers identified multiple Linux hosts, infected with the same or a similar rootkit and a Windows system with a backdoor based on the Gh0st RAT malware that communicated with a similar C2 as other compromised Linux hosts in a similar manner.

Sophos has not been able to identify how exactly the attackers managed to breach the client’s system in the first place, but researchers believe the hackers may have accessed the server through SSH, protected with password authentication.

The infection involves a rootkit that inspects network traffic, and a backdoor that communicates with command and control server via rootkit.

To bypass the server’s firewall, the attackers disguised C2 traffic as legitimate traffic, thus ensuring that the firewall does not block traffic that contains instructions for the malware or traffic that contains data sent back to the C2 server.

“In order to get around the firewall rules, the attackers communicate with the rootkit by sending innocent-looking requests to the web server on the normal web server ports. A listener that inspects inbound traffic before it reaches the web server intercepts the specially-crafted requests, and sends instructions to the malware based on characteristics of those requests,” Sophos explained.

“The listener sends a ‘reconstructed’ C2 command to the backdoor Trojan installed by the rootkit. Depending on the commands included into C2 traffic, the attacker may use the backdoor to steal sensitive data from the target. The collected data is then delivered back with the C2 traffic. Only this time, the rootkit has to masquerade it again in order to bypass the [firewall] once again in order to bypass the guards: the wolf dresses itself in sheep’s clothing once again. Once outside, the C2 traffic delivers the collected data back to the attackers.”

During an entire operation, the normal web traffic keeps flowing to and from the web server through the allowed gate while the C2 traffic stays largely indistinguishable from the legitimate web traffic.

“This case is extremely interesting as it demonstrates the true multi-platform nature of a modern attack. When it comes to prevention against this or similar attacks, AWS SGs provide a robust boundary firewall for EC2 instances. However, this firewall does not eliminate the need for network administrators to keep all external-facing services fully patched,” the researchers concluded.