​New BEC scam campaign leverages Google Cloud Storage service to spread Houdini RAT

• Researchers discovered that the scam has been active since August this year
• The attackers are using storage[.]googleapis[.]com to host the malicious payloads - VBScripts and JAR files

A new business email campaign (BEC) has been found targeting banking and financial services in the US and UK. The scam leverages a Google Cloud Storage service to spread malware and infect the targeted computers.

An insight into the attack

Researchers from Menlo Labs discovered that the scam has been active since August this year and that the attackers are using storage[.]googleapis[.]com to host the malicious payloads - VBScripts and JAR files.

"Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products," said the researchers in the blog post.

These malicious payloads are distributed in the form of links instead of attachments in order to make phishing emails less susceptible to discovery. Researchers confirm that one of the JAR files belong to Houdini/jRAT malware family.

“Of the JAR files we identified, we believe one file (Swift invoice.jar) belongs to the Houdini/jRAT malware family. We reached this conclusion because it communicated with pm2bitcoin[.]com. The other JAR files are still being investigated, and we believe they belong to the Qrat malware family,” wrote the researchers.

Impact

This particular technique used in the scam has been dubbed as ‘reputation-jacking’ - where attackers use popular, legitimate services to evade detection while deploying malware.

Once the files are downloaded and executed, the VBS and JAR script act as droppers to launch Houdini remote access trojan(RAT) using the C2 server on the pm2bitcoin domain. Once installed, the Houdini RAT can later be used to download additional payloads such as ransomware and cryptojacking malware.

A compromised machine inside an organization can have a wide range of impacts. This includes loss of personally identifiable information(PII) and exfiltration of intellectual property.

Mitigation

Researchers have recommended the users to be careful when opening unsolicited emails. The users must check out for attachments such as transfer.vbs, Remittance invoice.jar, Transfer invoice.vbs, and Swift invoice.jar in order to prevent such BEC scams.