Rewterz Threat Alert – Financial sector hit by malicious email campaign that abuses Google Cloud Storage

SEVERITY: Medium

CATEGORY: Cyber Crime

ANALYSIS SUMMARY:

A new cyber-attack campaign on financial sector has been observed, primarily in the UK and USA. The attackers behind this espionage are delivering their malicious payload via Google Cloud Storage. The malicious payloads are hosted on storage.googleapis.com associated to the storage service. The attack begins with phishing emails luring targets into clicking on malicious links. These links redirect the victims to archived files like .zip and .gz.

The lure consists of ‘Remittance invoice’ offers as can be seen in the image below.

The malicious files contain two types of payloads, .vbs scripts and .jar (Java Archive) files which are highly complex and perplexing. Making full use of Reputation-jacking, the act of hiding behind reputed organizations to evade detection, these attackers host their malicious payloads on the widely trusted service of Google Cloud Storage. The campaign uses malicious links instead of malicious attachments because most security controls are able to detect malicious files, while being ignorant to malicious links if they’re not in the blacklist.

The experts analyzed three scripts which belong to the Houdini malware family. These include :

• Transfer invoice[.]vbs
• Transfer[.]vbs
• Bank slip[.]vbs

The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain as their C&C server (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com). Moreover, the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file. These files belong to the jRat and QRat malware family. This email campaign is being tracked by researchers at MenloLabs security.

Attackers in the cyber arena are focusing their target on financial sector and more and more sophisticated phishing attacks are being observed targeting bank employees.

INDICATORS OF COMPROMISE

URLs:

• hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
• hxxps://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
• hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
• fud[.]fudcrypt[.]com
• pm2bitcoin[.]com
• storage[.]googleapis[.]co

Email Subject:

• Re-Confirm Details
• SWIFT COPY
• Transaction Slip
• Confirmation
• TRANSFR
• bank transfer
• bank slip

Email Addresses:

• infototrade6@yahoo[.]com
• exchange[.]reza@yahoo[.]com
• bestradingint@yahoo[.]com
• infoalborzlead@yahoo[.]co[.]uk
• nayan1maii@yahoo[.]com

Malware Hashes:

• 739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2
• Ea6dd952f98a8445b9fe7bfe4a903cffe9f3dc1f20c3e63970048b5423d7378f
• Ade9a6e8995a58b71c55e2116ad3956a6e7cafce9a5fee50e9d8506f1cfa5a9a
• B3b2988f8bf4881d7a7774a52a06a49e9a942e8587b8e2b1ec4754a3eb157bb1
• 56b51220f1a41f316f26f0312590d3b4222185e407a1256766b6cb1c5de98635
• 1a3dd0fc8a4725048776c596a2a77f5d9dc5b62e3d99cb60617f3ed5182b2f5b
• 589ea2ae48ba41c11eca1bad367b333a91ec7298ca9a38135ae0e4263ccd0392
• Fcc9ffdc225e6ac608a4a498fcce4290b2089a026cb57f0ee82a616fcd735140
• C958d28cecc1cdba9e0a9e6caf9d194f17989905d1677d90e11c4647a88b42bf
• 828482782171fe0c3980ec9454887806757c2bf6d6d0c35ea408e9b65e2ec581

REMEDIATION

Block the IoCs at their respective controls. Also, make sure all employees are trained against phishing attacks.