Threat actors abuse Microsoft Azure cloud services to host malware and as command and control (C&C) servers.

Hackers today are with great interest at cloud services platform -an emerging and promising computing model that provides on-demand computing services which eliminates the need of bearing operational costs associated with deploying servers and software applications, so that it could be abused for several malicious purposes like strong malware or implementing command and control servers. Security researchers have already spotted traces of some malware hosted on Microsoft Azure platform and now, it seems to be the turn for Microsoft Azure to host tech-support scam and phishing templates. The traces of attackers deploying malware on the Microsoft Azure Platform is seemed to be observed by researchers at AppRiver, but the bad news is that the malware seemed to were not removed even after some weeks, on May 29. “Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, but it is also functioning as the command and control infrastructure for the malicious files” reads the analysis published by AppRiver.

“On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640. However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later.”

Experts from AppRiver have pointed out that Azure is failing to detect the malware hosted on Microsoft's servers.

They said, “No service is infallible to being attacked or exploited. It’s evident that Azure is not currently detecting the malicious software residing on Microsoft’s servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.”

In one case, a sample named searchfile.exe was uploaded to VirusTotal on April 26, 2019. Even if Windows Defender detects the malware its presence on Azure is currently failing to block the upload.

Experts believe that this trend will continue to grow, and hackers will not only abuse Microsoft Azure, but other cloud services (i.e. Dropbox, Google Drive, and Amazon) will be exploited by hackers to avoid detection.