In this post we will take a look at PaaS malware, the HerokuApp environment and the differences between PaaS and SaaS.
Did you know that PaaS and SaaS environments can be used for malicious goals? In the past, a campaign dubbed ‘PoetRAT‘ utilized the Heroku PaaS service to host various phishing pages that targeted the Azerbaijan government. Earlier it was also seen in a Magecart campaign which went after financial details.
PaaS stands for Platform as a Service and offers a number of services on top of the Cloud infrastructure. This allows SaaS providers to offer their applications. Services in this layer are, for example, identity management, portal functionality and access management.
In order to achieve the freedom that is required in many software projects, it is necessary to have access to complete operating systems yourself. These operating systems often run on a server cloud at PaaS. Because virtualization is often part of a server cloud, these services are usually offered in the form of a VPS (virtual server).
A provider can flexibly distribute the available hardware among the customers and a customer can use a larger part of the available hardware on request. By facilitating the creation, management, backup, recovery, enlargement, reduction and migration of virtual servers via a web interface, PaaS becomes a true cloud hosting service.
Another very typical cloud feature is the ease of creating a platform. This not only by offering a number of pre-installed server installations (templates) but also by offering automatic software installations and managing them afterwards (think of a firewall or keeping the software up to date).
Support by means of a knowledge base and offering personal support is also an important factor in the PaaS experience. By giving these parts a lot of attention, PaaS comes close to SaaS, but it offers complete freedom. The goal is to create an accessible, educational, reliable and flexible environment.
An important, but not necessary, element of PaaS is the on-demand approach that allows customers to easily scale up the desired capacity. Some providers even pay per minute. The comparison with a water or electricity subscription is therefore often made.
In combination with automatic or non-automatic adjustment of the capacity to the needs of the customer, this can be a valuable addition. People always have access to the required capacity, but never pay more than they use.
SaaS stands for Software as a Service, and is also sometimes referred to by the term Software on Demand. In contrast to On-Premise software, a SaaS customer does not purchase the software, but the SaaS supplier receives an amount per user per month according to an agreement. The SaaS supplier takes care of installation, maintenance and management. The customer uses the software at the SaaS provider via the internet and is often unable to make substantial changes to the software.
If we take a look at Heroku PaaS on Github, we will see that there are 7000 repo’s which clearly use the Heroku PaaS.
Most of these github projects are legitimate, and they work, they have a community, and there are active developments taking place. This shows that Heroku PaaS is legitimate right?
Cybercriminals they don’t go with the flow as dead fish, they look for chances and utilize it whenever they see fit. They have and will use PaaS and SaaS. Heroku has a freemium PaaS model, and new users can experiment with the plaform’s free web hosting services with certain limitations.
Why do they use PaaS or SaaS?
It is simple, these services are often used for legitimate goals, security products and ‘experts’ will often not perform detection on them as how they do with other reputation based environments. Cybercriminals know this, and they will use this mindset against them.
Now I might sound harsh, but security is never friendly. Cyber criminals will try to make it hard for anyone which want to stop them, they don’t have a 9 to 5 mindset and they certainly have the time and focus.
We have seen it before, cyber criminals will use legitimate services like dropbox, Facebook, Twitter to control their botnets or drop malware.
In the picture below, you will see a list of samples which have some detection on them. These samples all connect to the PaaS service Heroku.
PoetRAT: Covid-19 Phishing
The PoetRAT campaign utilized the Heroku PaaS environment to host phishing pages.
The campaign had the following elements:
- Azerbaijan government and energy sector were likely targeted by an unknown actor.
- From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.
- The actor uses Word documents to drop malware that allows remote control over the victims.
- The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.
- The actor collects files, passwords and even images from the webcam, using other tools that it deploys as needed.
Using the Heroku PaaS environment allowed the threat-actor to easily setup a phishing page, on further notice, as the Heroku environment is legitimate, the chance that it would hit on any blacklists is small. This again shows that reputation based feeds are not enough.
C2 dellgenius[.]hopto[.]org Phishing gov-az[.]herokuapp[.]com govaz[.]herokuapp[.]com Urls hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=
Monitoring and security
Do you monitor the PaaS and SaaS services which your company uses? It is a good step to increase the security status of your environment. Monitor the connections, and see if there are connections to PaaS or SaaS services which should not have taken place. You can also be pro-active, and block all of the PaaS and SaaS services until you have an application or process which does need access.