{"id":4550,"date":"2018-12-28T11:26:16","date_gmt":"2018-12-28T05:56:16","guid":{"rendered":"https:\/\/qadit.com\/blog\/hackers-target-financial-firms-hosting-malicious-payloads-on-google-cloud-storage\/"},"modified":"2018-12-28T11:26:16","modified_gmt":"2018-12-28T05:56:16","slug":"hackers-target-financial-firms-hosting-malicious-payloads-on-google-cloud-storage","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/hackers-target-financial-firms-hosting-malicious-payloads-on-google-cloud-storage\/","title":{"rendered":"Hackers target financial firms hosting malicious payloads on Google Cloud Storage"},"content":{"rendered":"<h2><strong>Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage.<\/strong><\/h2>\n<p>The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload.<\/p>\n<p>The spam campaign uses messages including links that point to archivefiles such as .zip or .gz. Attackers attempt to trick victims into clicking on the malicious links. Threat actors hosted the malicious payloads on <a href=\"http:\/\/storage.googleapis.com\">storage.googleapis.com<\/a>, which is associated with Google Cloud Storage service. The payload belongs to the Houdini and QRat malware families.<br \/>\n<img decoding=\"async\" src=\"https:\/\/i2.wp.com\/securityaffairs.co\/wordpress\/wp-content\/uploads\/2018\/12\/Google-Cloud-Storage.jpg?fit=1024%2C576&amp;ssl=1\" alt=\"\" \/><\/p>\n<p>With this attack scheme, threat actors are able to bypass security controls in place within targeted organizations.<\/p>\n<p><em>\u201cIn all of these cases, the malicious payload was hosted on <a href=\"http:\/\/storage.googleapis.com\">storage.googleapis.com<\/a>, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products.\u201d reads the analysis published by security researchers at Menlo.<\/em><\/p>\n<p><em>\u201cIt\u2019s an example of the increased use of \u201creputation-jacking\u201d\u2014hiding behind well-known, popular hosting services to help avoid detection. \u201c<\/em><\/p>\n<p>These attackers likely used malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many security solution are able to detect malicious attachments but identify malicious URLs only if they included in a blacklist.<\/p>\n<p>The attackers leveraged two types of payloads to compromise the victims, VBS scripts and JAR files. Experts analyzed some malicious VBS scripts that were highly obfuscated and were likely created by one of the builder available in the cybercrime underground.<\/p>\n<p>The experts analyzed three scripts which belong to the Houdini malware family. The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com ).<\/p>\n<p>Researchers noticed the same string \u201c<em>&lt;[<span>\u00a0<\/span>recoder<span>\u00a0<\/span>:<span>\u00a0<\/span>houdini<span>\u00a0<\/span>(c)<span>\u00a0<\/span>skype :<span>\u00a0<\/span>houdini-fx ]&gt;<\/em>\u201d appears in the last level of obfuscated VBScript and all download a JAR file.<\/p>\n<p>One of the files belongs to the Houdini\/jRATmalware family, meanwhile other JAR files belong to the QRat malware family.<\/p>\n<p><em>\u201cThe Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve.\u201d Menlo Labs concludes.<\/em><\/p>\n<p><em>\u201cFinancial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,\u201d<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage. The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload. The spam campaign uses messages including links that point to archivefiles such as &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/qadit.com\/blog\/hackers-target-financial-firms-hosting-malicious-payloads-on-google-cloud-storage\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hackers target financial firms hosting malicious payloads on Google Cloud Storage&#8221;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-4550","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-1bo","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4550"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4550\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}