CATEGORY: Cyber Crime
A new cyber-attack campaign on ﬁnancial sector has been observed, primarily in the UK and USA. The attackers behind this espionage are delivering their malicious payload via Google Cloud Storage. The malicious payloads are hosted on storage.googleapis.com associated to the storage service. The attack begins with phishing emails luring targets into clicking on malicious links. These links redirect the victims to archived ﬁles like .zip and .gz.
The lure consists of ‘Remittance invoice’ oﬀers as can be seen in the image below.
The malicious ﬁles contain two types of payloads, .vbs scripts and .jar (Java Archive) ﬁles which are highly complex and perplexing. Making full use of Reputation-jacking, the act of hiding behind reputed organizations to evade detection, these attackers host their malicious payloads on the widely trusted service of Google Cloud Storage. The campaign uses malicious links instead of malicious attachments because most security controls are able to detect malicious ﬁles, while being ignorant to malicious links if they’re not in the blacklist.
The experts analyzed three scripts which belong to the Houdini malware family. These include :
The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain as their C&C server (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com). Moreover, the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR ﬁle. These ﬁles belong to the jRat and QRat malware family. This email campaign is being tracked by researchers at MenloLabs security.
Attackers in the cyber arena are focusing their target on ﬁnancial sector and more and more sophisticated phishing attacks are being observed targeting bank employees.
INDICATORS OF COMPROMISE
Block the IoCs at their respective controls. Also, make sure all employees are trained against phishing attacks.