A recently discovered phishing campaign has been targeting financial sector employees in the U.S. and UK with remote access trojan payloads stored on a Google Cloud Storage domain.
In a company blog post today, researchers from Menlo Security’s Menlo Labs division report that the campaign seeks to infect PCs and other endpoints by tricking victims into clicking on malicious links that lead to .zip or .gz archive files hosted on hosted on storage.googleapis.com.
“Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products,” the blog post explains. “It’s an example of the increased use of ‘reputation-jacking’ – hiding behind well-known, popular hosting services to help avoid detection.”
The names of the downloaded malicious files typically implied that they were business invoices or fund transfers, while the phishing communications themselves appear to have been sent from a combination of newly created accounts and hijacked accounts.
Payloads distributed by the campaign have included variations on the RAT-like worm program called Houdini (aka H-Worm), as well as jRAT and Qrat. Menlo Labs believes the malicious VBS scripts used to deliver the malware were most likely created by the same malicious toolkit, seeing as they all apparently belong to the Houdini family, they all employ heavy obfuscation and Base64 encoding, and they all share the same C2 domain as well as a particular string.
“These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat,” the blog post concludes. “Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories. To prevent these kinds of blended threats, visibility and correlation across both email and web traffic is essential.”
In response to this blog, Google Cloud told SC Media via email that “We regularly remove malware on Google Cloud Storage, and our automated systems suspended the malware referred to in this report. In addition, customers can report suspected abuse through our website.”