Hackers using Google Cloud to hack into banks and financial firms in the US and UK

• The malicious payload used to target the banks and financial companies was stored in the Google Cloud Storage domain.
• The email phishing campaign has been operational since August 2018.

A new email phishing campaign was recently discovered that has been targeting banks and financial firm across the US and UK. The campaign has been operational since August 2018 and aimed at infecting PCs and endpoints.

According to security researchers at Menlo Labs, who discovered the phishing campaign, the attackers chose to use malicious URLs instead of malicious attachments. The malicious payload used to target the banks and financial companies was stored on the on storage.googleapis.com - a widely trusted Google Cloud Storage domain.

“Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products. It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection,” Menlo Labs researchers wrote in a blog.

According to the researchers, while most security products can detect malicious attachments but are unable to detect malicious URLs unless the malicious link is already in their threat repositories.

The attackers were also found using two types of malicious payloads to compromise targeted systems - VBS scripts and JAR files. Researchers believe that the VBS scripts were highly obfuscated and most likely developed using open-source hacking tools widely available to cybercriminals.

Meanwhile, the JAR files were discovered to have links to the Houdini malware family. Other JAR files analyzed is believed to belong to the Qrat malware family.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. RATs, unlike botnets, are modular in nature and give attackers the ability to access compromised machines and then remotely run commands,” Menlo Labs researchers said.

“This enables the attackers to conduct reconnaissance of a network and change their tools, techniques, and procedures to accomplish their goals, so they don’t need to rely on a fully automated botnet built with a defined set of features,” the researchers added. “Novel ways of gaining endpoint access are always being developed and will continue to evolve. Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks.”