Cybersecurity researchers have identified a sophisticated campaign where threat actors are leveraging compromised credentials to infiltrate Azure Blob Storage containers, targeting organizations’ critical code repositories and sensitive data.

This emerging threat exploits misconfigured storage access controls to establish persistence and exfiltrate valuable intellectual property.

The attack vector represents a significant shift in how threat actors are approaching cloud infrastructure, moving beyond traditional endpoint-focused attacks toward enterprise storage systems.

The campaign has been linked to multiple threat groups operating across different sectors, including finance, technology, and critical infrastructure.

Microsoft analysts noted that the attacks typically begin with credential harvesting through phishing campaigns and malware-based information stealers.

Once initial access is established, operators conduct reconnaissance to identify accessible Azure Blob Storage instances with weak or default access policies.

The threat actors then systematically enumerate containers to locate valuable repositories, configuration files, and backup data.

Microsoft researchers identified a critical component of this operation involving SharkStealer, a Golang-based infostealer that employs an advanced communication technique called EtherHiding to evade traditional detection mechanisms.

This malware family utilizes the BNB Smart Chain Testnet as a command-and-control dead-drop, retrieving encrypted command instructions through smart contract calls rather than direct domain-based communications.

Technical Analysis of EtherHiding Pattern in Azure Attacks

The sophistication of these operations lies in how threat actors combine traditional credential theft with blockchain-based obfuscation techniques. SharkStealer initiates contact with BNB Smart Chain nodes using Ethereum JSON-RPC calls targeting specific smart contracts.

The malware executes eth_call requests to predetermined contract addresses, receiving tuples containing an initialization vector and encrypted payload.

Using a hardcoded AES-CFB encryption key embedded within the binary, the malware decrypts the returned data to extract current C2 server coordinates.

This methodology creates significant detection challenges because network traffic analysis reveals only legitimate blockchain node communications, making it extremely difficult to distinguish malicious activity from benign cryptocurrency wallet interactions.

The use of public blockchain infrastructure as a dead-drop mechanism provides threat actors with remarkable resilience against traditional takedown operations and domain blocking strategies.

In observed campaigns, once SharkStealer compromises a system, it harvests Azure credentials stored in browser caches, configuration files, and credential managers.

These stolen credentials grant direct access to Azure Blob Storage containers without triggering standard access controls.

Threat actors then establish secondary connections to Azure Storage, downloading entire repositories containing source code, API keys, and sensitive configuration data.

The combination of EtherHiding-based command infrastructure with Azure Storage access creates a particularly dangerous threat profile that organizations must actively defend against through credential rotation, access reviews, and monitoring for anomalous blockchain-based communications originating from internal networks.

Organizations should implement strict Azure Storage authentication policies, enforce multi-factor authentication on administrative accounts, and deploy behavioral monitoring to detect unusual API access patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Attacking Azure Blob Storage to Compromise Organizational Repositories appeared first on Cyber Security News.

A sophisticated information-stealing malware written in Golang has emerged, leveraging blockchain technology to establish covert command-and-control channels.

SharkStealer represents a significant evolution in malware design, utilizing the BNB Smart Chain Testnet as a resilient dead-drop resolver for its C2 infrastructure.

This novel approach demonstrates how threat actors exploit Web3 technologies to evade traditional detection mechanisms and maintain persistent communication channels.

The malware employs an innovative technique known as EtherHiding, where critical infection chain components are stored on public blockchains rather than conventional web servers.

This method transforms immutable blockchain networks into censorship-resistant infrastructure that defenders struggle to disrupt or monitor effectively.

By embedding C2 addresses within smart contract responses, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked.

SharkStealer’s attack vector centers on leveraging the transparency and availability of public blockchain networks while maintaining operational security through encryption.

VMRay analysts identified that the malware issues Ethereum RPC eth_call requests to specific smart contracts deployed on the BSC Testnet nodes.

These contracts serve as encrypted data repositories, returning tuples containing an initialization vector (IV) and encrypted payload when queried.

The malware then decrypts this data using a hardcoded AES-CFB key embedded within the binary, ultimately extracting the actual C2 server addresses.

Technical Analysis of C2 Resolution

The infection mechanism operates through a multi-stage process that begins with establishing a secure connection to data-seed-prebsc-2-s1.binance.org:8545, the BSC Testnet RPC endpoint.

The code snippet below illustrates how SharkStealer constructs the JSON-RPC request:-

v87.Jsonrpc.ptr = "2.0";
v87.Method.ptr = "eth_call";
v77.To.ptr = "0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf";
v77.Data.ptr = "0x24c12bf6";

The malware’s C2 resolution mechanism demonstrates sophisticated engineering combining blockchain interaction with traditional cryptographic techniques.

Once the eth_call request reaches target smart contract addresses—specifically 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf—the contracts execute function 0x24c12bf6, returning encrypted C2 data.

The decryption process utilizes AES-CFB mode, combining the hardcoded key with the dynamically retrieved IV to decrypt the payload.

Analysis of sample SHA-256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 revealed active C2 servers at 84.54.44.48 and securemetricsapi.live, demonstrating the technique’s operational effectiveness.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SharkStealer Using EtherHiding Pattern to Resolves Communications With C2 Channels appeared first on Cyber Security News.

Microsoft 365 Exchange Online’s Direct Send feature, originally designed to enable legacy devices and applications to send emails without authentication, has become an exploitable pathway for cybercriminals conducting sophisticated phishing and business email compromise attacks.

The feature allows multifunction printers, scanners, and older line-of-business applications to transmit messages by bypassing rigorous authentication and security checks, creating an operational convenience that adversaries have weaponized to circumvent standard content filters and domain verification protocols.

Recent investigations reveal a surge in malicious campaigns exploiting Direct Send to deliver fraudulent messages that appear to originate from trusted internal sources.

Threat actors emulate legitimate device traffic and send unauthenticated emails impersonating executives, IT help desks, and internal users.

These campaigns frequently employ business-themed social engineering lures, including task approvals, voicemail notifications, and payment prompts designed to manipulate recipients into divulging credentials or sensitive information.

Cisco Talos analysts identified increased activity by malicious actors leveraging Direct Send as part of coordinated phishing campaigns and BEC attacks.

Security researchers from multiple organizations, including Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, and Mimecast, have independently confirmed similar findings, indicating that adversaries have actively targeted corporations using Direct Send in recent months.

Direct Send Exploitation

The attacks exploit the feature’s ability to inherit implicit trust from Exchange infrastructure, decreasing payload scrutiny and enabling messages to bypass critical sender verification mechanisms.

The exploitation technique centers on circumventing three fundamental email authentication protocols: DomainKeys-Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC).

Under normal circumstances, these protocols verify message authenticity through cryptographic signatures, authorized IP ranges, and policy enforcement.

However, Direct Send prevents this inspection, allowing spoofed messages to reach recipients unchallenged.

Attackers have embedded QR codes within PDFs and crafted empty-body messages with obfuscated attachments, successfully evading traditional content filters and directing victims to credential harvesting pages.

Microsoft has responded by introducing a Public Preview of the RejectDirectSend control and announcing future enhancements, including Direct Send-specific usage reports and a default-off configuration for new tenants.

Organizations can mitigate risks by disabling Direct Send where feasible using the command Set-OrganizationConfig -RejectDirectSend $true after validating legitimate mail flows, migrating devices to authenticated SMTP submission on port 587, and implementing tightly scoped IP restrictions for devices unable to authenticate properly.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Microsoft 365 Exchange Direct Send to Bypass Content Filters and Harvest Sensitive Data appeared first on Cyber Security News.