Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Cybercriminals Host Malicious Payloads on Google Cloud Storage

A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.

A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.

As part of the attacks, the malicious actor attempts to trick users into clicking on malicious links to archive files such as .zip or .gz. The malicious payloads, which the researchers identified as being part of the Houdini and QRat malware families, were hosted on, the domain of the Google Cloud Storage service.

With the service used by countless companies, malicious actors can bypass security controls in place within organizations or built into commercial security products by simply hosting their payloads on the domain — the practice isn’t new.

“These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories,” Menlo’s security researchers explain.

In their attempt to compromise the victim’s machines, the attackers used two types of payloads, namely VBS scripts and JAR files.

The VBS scripts were highly obfuscated and might have been generated using a kit that automates the creation of malicious documents and which is widely available to bad actors, the researchers say.

Three of the scripts, which belong to the Houdini malware family, were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. All three connect to the same command and control (C&C) domain and use the same secondary C&C, all show the same string in the last level of obfuscated VBScript, and all download a JAR file.

Advertisement. Scroll to continue reading.

One of the files appears to belong to the Houdini/jRAT malware family, its C&C domain suggests. Other JAR files are likely part of the QRat malware family, but this is still being investigated.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve. Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,” Menlo Labs concludes.

Related: jRAT Leverages Crypter Service to Stay Undetected

Related: Qrypter RAT Hits Hundreds of Organizations Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.