A new corporate email campaign spreads malware in the Google Cloud Storage service. The campaign focuses mainly on financial companies, according to ZDNet. The attack was discovered by investigators from Menlo Labs.

The researchers state that they have been studying the so-called BEC-scam for some time now. The campaign is aimed at employees of banks and financial companies. The attack uses social engineering and phishing emails tailored to the targets, hoping to get potential victims to click on malicious links and download malware. The attack has been active since August and focuses mainly on companies in Great Britain and the United States.

According to the researchers, this particular attack has an interesting element that is becoming increasingly common. It uses legitimate, known storage services to increase confidence in a phishing message. In this case, the hackers use Google Cloud Storage. According to the researchers, each message sends a rogue .zip or .gz file stored on storage.googleapis.com.

“Attackers can host their payloads using this trusted domain to bypass security controls of organizations or those built into security products,” said the researchers. The technique is called reputation-jacking. According to the security company, 4,600 of the 100,000 most popular domains were used in phishing, abusing legitimate hosting services.

Operation

The malware only needs a short time to infiltrate an organization. If a system receives a phishing e-mail, the victim sees attachments with names such as transfer.vbs, Remittance invoice.jar, Transfer invoice.vbs and Swift invoice.jar. All those attachments lead to files stored on Cloud Service.

When the files are downloaded and run, the VBS scripts and JAR files act as droppers to download and run Houdini family trojans. This malware family can spread sideways through networks and can download and execute other payloads from C servers. This could be ransomware or cryptojacking malware.

Google has now been informed of the findings of the researchers. The rogue payloads have been removed. “We regularly remove malware on Google Cloud Storage and our automated systems have suspended the malware from this report. In addition, customers can report suspected abuse via our website,” said a spokesperson.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.