HazyBeacon Malware Exploits AWS Lambda for Covert Data Theft

Credited by Freepik

VTA-004523 – HazyBeacon Malware Exploits AWS Lambda for Covert Data Theft

A newly discovered Windows backdoor, HazyBeacon, is targeting Southeast Asian government agencies to steal sensitive data, including details on tariffs and trade disputes. Researchers linked the campaign to a state-backed threat actor, noting its focus on gathering intelligence that could influence regional and global policies.

The attack begins with DLL side-loading, where a malicious DLL (“mscorsvc.dll”) is deployed alongside a legitimate Windows executable (“mscorsvw.exe”). Once executed, the malware contacts a remote server to fetch additional payloads and maintains persistence via a service.

HazyBeacon stands out for using AWS Lambda URLs for command-and-control (C2), blending malicious traffic with legitimate cloud services. Attackers also leveraged Google Drive and Dropbox for data exfiltration, though some upload attempts were blocked. Before exiting, the malware cleans traces by deleting staged files and payloads.

This campaign highlights the growing abuse of trusted cloud services (like AWS, Google, and Dropbox) for stealthy cyber espionage—a tactic known as “living-off-trusted-services” (LOTS).

Severity:
Medium

Attack Surface:
Cloud Service, Endpoint OS, File Storage

Tactics:
Command and Control, Defense Evasion, Execution, Exfiltration, Persistence

Techniques:
T1574.002: Hijack Execution Flow: DLL Side-Loading
T1071.004: Command and Control: Application Layer Protocol – Cloud
T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1070: Indicator Removal: File Deletion

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6876b4d266f85b0a664a6555

References:
1. https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/

SuperPRO’s Threat Countermeasures Procedures:
1. Monitor outbound traffic to rare cloud endpoints (e.g., *.lambda-url.*.amazonaws.com).
2. Inspect unusual DLL side-loading activities, especially involving system binaries.
3. Restrict unnecessary access to cloud storage services (Google Drive, Dropbox) from critical systems.
4. Implement behavior-based detection to spot abnormal process execution chains.
5. Regularly audit and log service creations for persistence mechanisms.
6. Block or scrutinize AWS Lambda URLs in environments with no legitimate use case.

Contributed by: Fatini