A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.
As part of the attacks, the malicious actor attempts to trick users into clicking on malicious links to archive files such as .zip or .gz. The malicious payloads, which the researchers identified as being part of the Houdini and QRat malware families, were hosted on storage.googleapis.com, the domain of the Google Cloud Storage service.
With the service used by countless companies, malicious actors can bypass security controls in place within organizations or built into commercial security products by simply hosting their payloads on the domain — the practice isn’t new.
“These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories,” Menlo’s security researchers explain.
In their attempt to compromise the victim’s machines, the attackers used two types of payloads, namely VBS scripts and JAR files.
The VBS scripts were highly obfuscated and might have been generated using a kit that automates the creation of malicious documents and which is widely available to bad actors, the researchers say.
Three of the scripts, which belong to the Houdini malware family, were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. All three connect to the same command and control (C&C) domain and use the same secondary C&C, all show the same string in the last level of obfuscated VBScript, and all download a JAR file.
One of the files appears to belong to the Houdini/jRAT malware family, its C&C domain suggests. Other JAR files are likely part of the QRat malware family, but this is still being investigated.
“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve. Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,” Menlo Labs concludes.
Related: jRAT Leverages Crypter Service to Stay Undetected
Related: Qrypter RAT Hits Hundreds of Organizations Worldwide