Cloud Security, Threat Management, Malware

Phishing campaign targets finance employees with RATs downloaded from Google Cloud Storage

A recently discovered phishing campaign has been targeting financial sector employees in the U.S. and UK with remote access trojan payloads stored on a Google Cloud Storage domain.

In a company blog post today, researchers from Menlo Security's Menlo Labs division report that the campaign seeks to infect PCs and other endpoints by tricking victims into clicking on malicious links that lead to .zip or .gz archive files hosted on hosted on 

"Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products," the blog post explains. "It's an example of the increased use of 'reputation-jacking' – hiding behind well-known, popular hosting services to help avoid detection."

The names of the downloaded malicious files typically implied that they were business invoices or fund transfers, while the phishing communications themselves appear to have been sent from a combination of newly created accounts and hijacked accounts.

Payloads distributed by the campaign have included variations on the RAT-like worm program called Houdini (aka H-Worm), as well as jRAT and Qrat. Menlo Labs believes the malicious VBS scripts used to deliver the malware were most likely created by the same malicious toolkit, seeing as they all apparently belong to the Houdini family, they all employ heavy obfuscation and Base64 encoding, and they all share the same C2 domain as well as a particular string.

"These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat," the blog post concludes. "Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories. To prevent these kinds of blended threats, visibility and correlation across both email and web traffic is essential."

In response to this blog, Google Cloud told SC Media via email that “We regularly remove malware on Google Cloud Storage, and our automated systems suspended the malware referred to in this report. In addition, customers can report suspected abuse through our website.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.