A new business email campaign (BEC) has been found striking financial companies and spreading malware through the Google Cloud Storage service.
On Wednesday, researchers from Menlo Labs said they have been watching the BEC scam for some time, which is focused on the employees of banks and financial services companies. The campaign follows the typical track of BEC schemes by using social engineering and phishing emails tailored for their targets in a bid to lure potential victims to click malicious links and download malware payloads.
The BEC scheme has been active since August this year and appears to be focusing on financial services in the UK and US.
However, this particular scheme does have an interesting element which the researchers say is becoming ever more common -- the use of legitimate, well-known storage services to instill further trust in a phishing message.
In this case, the scammers were making use of Google Cloud Storage, a service used for legitimate purposes by countless companies worldwide.
Menlo Security says that in every message tracked during this particular wave of phishing, each one sent malicious .zip or .gz files stored on storage.googleapis.com.
"Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products," the researchers say.
This particular technique has been dubbed "reputation-jacking," the use of popular, legitimate services to circumvent security measures when deploying malware. According to the cybersecurity firm, out of the top 100,000 domains, as ranked by Alexa, 4,600 domains were found to be involved in phishing schemes utilizing legitimate hosting services.
To make phishing emails less susceptible to discovery, threat actors may also choose to use malicious links rather than attachments, as many email security products will only recognize malicious links if they are registered within threat repositories.
While it may only be a matter of time before these addresses are recognized, it only takes a small window to successfully infiltrate an organization.
Should a victim's system receive a phishing email during the BEC scam in question, they would see attachments using names including transfer.vbs, Remittance invoice.jar, Transfer invoice.vbs, and Swift invoice.jar, all leading to files stored on Google's Cloud Service.
If these files are downloaded and executed, the VBS scripts and JAR files act as droppers to download and execute Trojans from the Houdini malware family. Each script is obfuscated using Base64 encoding and communicate with a command-and-control (C2) server on the pm2bitcoin.com domain.
The Houdini remote access trojan (RAT) is able to move laterally through networks and removable drives and is able to execute and download additional payloads from C2 servers such as ransomware or cryptojacking malware.
TechRepublic: Brute force and dictionary attacks: A cheat sheet
The RAT has previously been detected in attacks against targets in the energy sector.
Google was made aware of the findings and the malware payloads have been removed. A Google spokesperson told ZDNet:
"We regularly remove malware on Google Cloud Storage, and our automated systems suspended the malware referred to in this report. In addition, customers can report suspected abuse through our website."
"Novel ways of gaining endpoint access are always being developed, and will continue to evolve," the researchers said. "Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks."
In related news, earlier this month the Save the Children foundation revealed that the organization had become a victim of a BEC scam, leading to the theft of $1 million.
The FBI has previously warned companies that over the past two years, law enforcement has recorded a 136 percent increase in BEC scam reports. Billions of dollars have been lost by enterprise companies to such schemes.