A new, sophisticated malware campaign has been uncovered that leverages Microsoft’s Azure Functions for its command-and-control (C2) infrastructure, a novel technique that complicates detection and takedown efforts.
According to the Dmpdump report, the malware, first identified from a file uploaded to VirusTotal on August 28, 2025, from Malaysia, employs a multi-stage infection process involving DLL side-loading and in-memory payload execution to remain hidden.
The attack begins with a disk image file named Servicenow-BNM-Verify.iso. This ISO contains four files: a legitimate Palo Alto Networks executable (PanGpHip.exe), a shortcut file (servicenow-bnm-verify.lnk), and two hidden dynamic-link libraries (DLLs), libeay32.dll and the malicious libwaapi.dll.
When the user clicks the shortcut file, it executes the legitimate PanGpHip.exe. However, this executable is vulnerable to DLL side-loading, causing it to load the malicious libwaapi.dll from the same directory.
This technique allows the malware to run under the guise of a trusted application, bypassing initial security checks.
Metadata from the shortcut file reveals it was created on August 25, 2025, three days before its upload, on a machine named “desktop-rbg1pik” by a user “john.GIB,” offering a glimpse into the threat actor’s development environment.
Payload Injection And Obfuscation
Once loaded, the malicious libwaapi.dll initiates a complex payload injection sequence. It first hides its console window and creates a mutex to ensure only one instance of the malware runs on the victim’s machine.
It then injects its main payload into the memory of chakra.dll, a legitimate Windows component. This process involves several layers of decryption and obfuscation.
The malware calculates an RC4 key by hashing the string “rdfY*&689uuaijs” and uses it to decrypt the payload. The injected payload is an obfuscated shellcode that decompresses the final DLL implant using the LZNT1 algorithm.
This final payload is heavily obfuscated, with analysis suggesting it implements module unhooking to evade detection from security software.
Its functionality is contained within the DllUnload exported function, a less common choice for housing malicious code.
The most significant aspect of this malware is its use of Azure Functions for C2 communications. The final payload sends victim data via a POST request to logsapi.azurewebsites[.]net/api/logs.
By hosting its C2 on a legitimate serverless platform like Azure, the malware makes it difficult for network defenders to block the malicious traffic without impacting access to legitimate Microsoft services, according to the Dmpdump report.
The exfiltrated data is sent in an XML format, containing detailed information about the compromised system. This includes the computer and user names, OS version, system uptime, and the processes from which the malware and its parent process are running.
A related malware sample with the same import hash was uploaded from Singapore on September 5, 2025, suggesting the campaign may be more widespread.
Security researchers are continuing to analyze the final payload to understand its full capabilities.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
