STORM-1977 infiltrators exposed 200+ encryption mining containers using the Azurechecker Cli tool

The advanced threat representative group, which was tracked in the Storm -1977, has succeeded in renewing more than 200 containers and returning it to cryptocurrency mining, using the designated command line tool known as Azurechecker.

In the first place, the attacks targeted the clouds in the education sector through password spray techniques, and the exploitation of weak accreditation security mechanisms and authentication mechanisms for initial access to cloud environments.

The attackers used a systematic approach, as they first set the weak goals through the survey, then used the Azurechecker.exe tool to automate and organize the password spray attacks on a large scale against cloud environments.

Once the successful approval was achieved, the actors moved quickly to prove stability by creating resource groups within the risk subscriptions, and eventually published hundreds of containers that were formed for encryption activities.

Intelligence researchers at microsoft threat It was identified This campaign during routine threat monitoring operations, taking into account the unique operational patterns that distinguish the storm -1977 from other actors of threats.

The attack chain analysis revealed advanced techniques designed to evade the disclosure while increasing the use of resources for environments that are at risk.

Upon arrival at the risk subscriptions, the attackers showed an advanced understanding of cloud infrastructure, especially the environments that were moved, by publishing more than 200 containers that were specifically composed Cryptoming Operations.

The publishing scale and efficiency indicates a good advanced operational framework designed to achieve rapidly liquefied the leaving resources.

Infection and technical analysis mechanism

The basic transmission used by Storm-1977 is about the Azurechecker.exe Cli tool, which forms the cornerstone of their password spraying.

This tool has been observed to the SAC-Auth controller[.]Nodefunction[.]VIP, which she downloaded from AES data that contains targeted account information.

The tool function includes the ability to process an external file called “Accounts.txt”, which contains username and password groups for ratification attempts.

The sequence of infection begins when the Azurechecker tool deciphers the download list that has been downloaded and systematically testing the accreditation data versus two cloud tenants.

It may resemble the typical implementation of the tool:-

AzureChecker.exe -i accounts.txt -o results.json -t 30

This matter directs the tool to use the accreditation data from the account file, and takes out a successful authentication to the results. JSON, and take advantage of a 30 -second deadline between attempts to avoid safety alerts based on authentication speed.

Once obtained valid accreditation data, storms in 1977 benefit guest accounts to create new resource groups as part of the risk.

The attackers showed advanced knowledge of the Kubernetes environments, where they created containers with specially designed formations to increase encryption efficiency while reducing the opportunity to detect through regular Monitor Channels.

Here attacks against barefoot environments can arise from multiple carriers, with risk accounts that represent one of the main offensive surfaces used by Storm-1977.

The success of these processes highlights the decisive importance of implementing strong safety controls, especially in educational environments, as resource restrictions may limit safety monitoring capabilities.

Institutions can protect themselves from similar attacks by carrying out multiple factors, imposing a less concession principle for all accounts, monitoring suspicious API calls, and publishing safety solutions for containers capable of discovering abnormal activities within Kubernetes Environments.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy