In a recent development, cybersecurity experts have identified a sophisticated malware campaign that leverages Microsoft’s Azure Functions to establish its command-and-control (C2) infrastructure. This innovative approach complicates detection and mitigation efforts, as the malware operates within legitimate cloud services.
Initial Discovery and Infection Vector
The campaign came to light when a file named `Servicenow-BNM-Verify.iso` was uploaded to VirusTotal from Malaysia on August 28, 2025. This disk image contained four files:
– A legitimate Palo Alto Networks executable (`PanGpHip.exe`)
– A shortcut file (`servicenow-bnm-verify.lnk`)
– Two hidden dynamic-link libraries (DLLs): `libeay32.dll` and the malicious `libwaapi.dll`
Upon execution of the shortcut file, the legitimate `PanGpHip.exe` is launched. However, due to a vulnerability in DLL side-loading, this executable inadvertently loads the malicious `libwaapi.dll` from the same directory. This technique allows the malware to operate under the guise of a trusted application, effectively bypassing initial security defenses.
Payload Injection and Obfuscation Techniques
Once activated, `libwaapi.dll` initiates a complex sequence to inject its payload:
1. Console Window Concealment: The malware hides its console window to avoid user detection.
2. Mutex Creation: It establishes a mutex to ensure only one instance runs on the infected system.
3. Payload Injection: The malware injects its main payload into the memory of `chakra.dll`, a legitimate Windows component.
This process involves multiple layers of decryption and obfuscation:
– RC4 Key Calculation: The malware hashes the string rdfY&689uuaijs to generate an RC4 key.
– Payload Decryption: Using the RC4 key, it decrypts the payload, which is an obfuscated shellcode.
– Decompression: The shellcode decompresses the final DLL implant using the LZNT1 algorithm.
The final payload is heavily obfuscated and employs module unhooking techniques to evade detection by security software. Notably, its functionality resides within the `DllUnload` exported function, an uncommon choice for malicious code execution.
Exploitation of Azure Functions for Command-and-Control
A standout feature of this malware is its utilization of Azure Functions for C2 communications. The final payload sends victim data via a POST request to `logsapi.azurewebsites[.]net/api/logs`. By hosting its C2 infrastructure on a legitimate serverless platform like Azure, the malware complicates efforts to block malicious traffic without disrupting access to legitimate Microsoft services.
The exfiltrated data, formatted in XML, includes comprehensive details about the compromised system:
– Computer and user names
– Operating system version
– System uptime
– Processes associated with the malware and its parent process
Geographical Spread and Ongoing Analysis
A related malware sample with the same import hash was uploaded from Singapore on September 5, 2025, indicating a potentially broader campaign. Security researchers are actively analyzing the final payload to fully understand its capabilities and develop effective countermeasures.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit trusted cloud services to enhance the stealth and resilience of their operations. Organizations are advised to:
– Monitor Network Traffic: Implement advanced monitoring to detect unusual communications with cloud services.
– Regularly Update Software: Ensure all software, especially security tools, are up-to-date to recognize and mitigate new threats.
– Educate Employees: Conduct regular training on recognizing phishing attempts and other common infection vectors.
By staying vigilant and adopting comprehensive security measures, organizations can better defend against sophisticated malware campaigns that leverage legitimate cloud services for malicious purposes.
