Blog

Where do hackers host malware payloads, and why should organizations like yours be aware?

Let's explore:

The Malware Payload Process

Malware-based cyberattacks typically follow a well-defined trajectory of events, progressing from initial reconnaissance to eventual action on the attacker's final objectives. Within the broader framework of the Cyber Kill Chain, the stages Delivery and Exploitation can be further divided into distinct sub-stages representing the adversarial efforts to first gain initial access by executing some first payload exploit code on the victim's infrastructure, and then secondly to import additional malware, map out the victim host and decide the best next course of action to further the compromise.

The first stage involves techniques to enter the target network by exploiting vulnerabilities in publicly accessible services, or by relying on an organization's members to execute attacker-supplied code.  The second method uses tactics such as social engineering, phishing, spear phishing, drive-by-downloads, or watering hole attacks to introduce Trojanized files laden with malware and enticing unsuspecting victims to open them.

The initial payload in this first stage is typically designed to immediately introduce a secondary payload containing additional malware into the victim's system. This sets the stage for attackers to seek a persistent foothold within the victim's network infrastructure, identify higher-value targets, and pivot their efforts to compromise these targets. AZORult malware is a good example of an attack with distinct first and second stage payloads.

This quick one-two punch are the delivery and exploitation stages of an attack. These phrases are an ideal time to prevent an attack from succeeding. From here, this article will look at some common places that attackers host their malicious payloads in order to understand their efforts to avoid detection and confound the defender's efforts to achieve this early stage detection.

Factors Threat Actors Consider When Hosting Malware Payloads

When it comes to where hackers host malware payloads, several critical factors come into play. These factors are pivotal in their decision-making process, allowing them to optimize their attack vectors for maximum impact and evasion. Understanding what motivates their choices is essential for strategizing cybersecurity defences. 

When selecting a location to host their malicious payloads, threat actors consider the following:

• Avoiding Detection: Attackers want to ensure that their malicious infrastructure remains accessible to as many potential victims as possible and their activities can remain undetected by their victim's security measures

• Anonymity and Privacy: Anonymous accounts or servers are used to conceal their identity and location, making it challenging for digital forensic teams to trace the source of the attack. These less-monitored platforms can serve as effective hiding spots

• High Availability: Attackers may distribute malware across multiple servers or platforms to ensure redundancy. This approach minimizes the risk of payload takedowns, enhancing the malware's availability and often employs servers in a vast number of geographic locations to complicate tracking and attribution efforts

• Easily Deployed And Scalable: Cybercriminals often prefer hosting platforms that allow for easy scalability, enabling them to accommodate many potential victims or payloads

Understanding these considerations gives cybersecurity professionals valuable insights into the attacker's mindset, especially when asking where hackers host malware payloads. This allows for better preparedness and more effective countermeasures in the ongoing battle against cyber threats.

Next, let's look at some typical locations that these priorities translate into.

Top Places Attackers Host Malware Payloads

Here is a rundown of some of the most common locations for attackers to host their malware payloads and a description of their advantages and disadvantages:

• Public Cloud Storage Services: Attackers can create cloud accounts to host files which can leverage the trust or need to allow access to popular online services such as Google Drive, Microsoft OneDrive, Dropbox, GitHub and more. Attackers may use a stolen credit card and personal information to create paid cloud accounts to maintain their privacy or leverage less scrutinized or poorly regulated cloud services, such as free hosting services in countries lacking solid cyber regulations

• Managed Cloud Email: Attackers can also disguise their payloads as email messages from legitimate cloud email services such as Gmail, Microsoft 365, or others. Using email as a delivery tool can allow an attacker to reach out to an account with embedded credentials such as POP, IMAP, or OAuth to fetch a pre-existing email message with attachments that can hold malware. During the early reconnaissance stage of an attack, attackers may check their target's DNS records to determine which services they are likely using and then develop payloads that use those same services to avoid suspicious network traffic

• Compromised Websites: Attackers often use previously compromised websites to host their malware payloads so they appear to be coming from a legitimate domain. Once search engines discover that a legitimate website is being used to host malware payloads, they will lower the website's rank, or even delist the site from search results altogether.  This makes protecting your company's website critical for maintaining good SEO because a compromise can lead to a significant drop in business traffic

• Serverless P2P File Sharing: This category includes peer-to-peer (P2P) file-sharing systems like IFPS Hosting and BitTorrent, which allow users to distribute and share files without relying on a centralized server.  Blocking this method of payload hosting is more obvious than the previously mentioned methods. It can be quickly identified and blocked by savvy network defenders by blocking the IP addresses and protocols associated with P2P services

• DGA-based IP Addresses: Domain Generating Algorithms (DGA) are a trick that attackers use to ensure they can still establish a connection to their malicious payloads even if one domain is taken down or blocked by a network security configuration such as a Firewall. DGA uses a predefined algorithm to generate a series of domain names so they can be predicted by the malware that is seeking to find its second-stage payload. An example is a DGA that uses the first 10 characters of an MD5 hash of the current year followed by a letter of the alphabet. While some research has been done to use AI to detect DGA domains, this remains an effective method for attackers to circumvent defensive measures and maintain access to their malware payloads

• Chat Apps: Many chat apps can be accessed via HTTP GET or POST requests if valid credentials are provided. This means attackers can host payloads on chat apps on their own anonymous or fake Slack, Telegram, Facebook, WhatsApp or other popular chat apps

• Publicly Hosted Images: Attackers can try to hide small segments of a payload within image metadata, or within the body of the image file itself (known as steganography) which can be extracted after the image has been downloaded into the victim's network by the first-stage malware

• Public forums Or Pastebin Websites: Attackers also often use public forums or Pastebin-like platforms to store and share malicious code or payloads. These platforms provide a degree of anonymity and can be used for hosting malware code, instructions, or complete payloads. While some network defenders are savvy to popular pastebin sites being used for malicious purposes, this approach can also present a significant challenge to detect and prevent malware from being imported to a compromised host

Conclusion

When it comes to the question of, "Where do hackers host malware payloads?" it's crucial to know that cyberattacks follow a predictable pattern.

Malware-based attacks need to first achieve some form of code execution on the victim's system and secondly import more advanced and specially purposed malware payloads that can further the attack.  Knowing this attack pattern allows defenders to detect the first or secondary malware payloads before they are executed in order to prevent the infection. 

When choosing a place to host their malicious code, attackers have priorities such as avoiding detection and maintaining anonymity while ensuring their payloads are highly available and can be easily deployed. These priorities lead to many potential locations where attackers may choose to host malware payloads. Still, knowing how attackers think and operate can help defenders better configure their defensive measures to increase their detection rates, or better prioritize alerts.

Looking to stay up-to-date on cybersecurity industry updates and news? Sign up for our newsletter today or reach out to our team for your free, zero-obligation quote to put our expertise into practice.