A recently discovered phishing campaign has been targeting financial sector employees in the U.S. and UK with remote access trojan payloads stored on a Google Cloud Storage domain.
Researchers that the campaign seeks to infect PCs and other endpoints by tricking victims into clicking on malicious links that lead to .zip or .gz archive files hosted on hosted on storage.googleapis.com.
“Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products,” the blog post explains. “It’s an example of the increased use of ‘reputation-jacking’ – hiding behind well-known, popular hosting services to help avoid detection.”
The names of the downloaded malicious files typically implied that they were business invoices or fund transfers, while the phishing communications themselves appear to have been sent from a combination of newly created accounts and hijacked accounts.
Payloads distributed by the campaign have included variations on the RAT-like worm program called Houdini (aka H-Worm), as well as jRAT and Qrat. Menlo Labs believes the malicious VBS scripts used to deliver the malware were most likely created by the same malicious toolkit, seeing as they all apparently belong to the Houdini family, they all employ heavy obfuscation and Base64 encoding, and they all share the same C2 domain as well as a particular string.
“These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat,” the blog post concludes. “Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories. To prevent these kinds of blended threats, visibility and correlation across both email and web traffic is essential.”
This incident, and others like it, illustrates how financial institution employees increasingly prove to be weaker links in the security chain. Inadequate authentication practices and lax mandates for computer security upgrades, lack of anti-fraud systems and anti-phishing protocols, and patches leave banking institution employees in some cases more susceptible to malware attacks waged via socially engineered schemes than bank customers.
The banks themselves don’t use the same controls they ask customers to use. You see banks focusing on data loss prevention, but then you often see antiquated antivirus systems, outdated fraud detection and prevention programs. It’s those types of outdated systems that make them vulnerable.