An active email campaign is reportedly targeting banking and financial services employees in the US and UK using popular cloud services to host the malicious payload, according to a blog posted today by Menlo Security.
The campaign targets endpoints, including PCs, and attackers are reportedly using two types of payloads – VBScripts and JAR files – to compromise the endpoints. In looking at the victims who have clicked on malicious links to archive files, researchers found that all files were either ZIP or GZ.
Evidence suggests that the campaign has been active since August, and researchers have confirmed that the malware one RAT family used was Houdini.
“Of the JAR files we identified, we believe one file (Swift invoice.jar) belongs to the Houdini/jRAT malware family. We reached this conclusion because it communicated with pm2bitcoin.com. The other JAR files are still being investigated, and we believe they belong to the Qrat malware family,” researchers wrote.
According to the blog, attackers used storage.googleapis.com, the domain of the Google Cloud Storage service, to host the malicious payload, and the primary attack vector is email, where malicious URLs are embedded within emails rather than sent as attachments.
A Google spokesperson told Infosecurity Magazine in a prepared statement, “We regularly remove malware on Google Cloud Storage, and our automated systems suspended the malware referred to in this report. In addition, customers canreport suspected abuse through our website.”
A compromised machine inside an enterprise network has wide-ranging business impact, which could be anywhere between loss of personally identifiable information to potentially much more damaging consequences like exfiltration of intellectual property, according to Vinay Pidathala, director of security research at Menlo Security.
“You can no longer trust ANY website: attackers are increasingly hiding behind well-know, popular hosting services to avoid detection. Credential attacks and remote access Trojans (RAT) malware are trends that will continue in the finance sector. These payloads, often zipped-up and in some cases in two layers, will continue to evolve to maneuver payloads into the environment,” Pidathala said.
“Botnets will decrease, and RAT malware will increase due to the ability RATs give attackers to customize and control every step of the attack. Once they get in, they can live off the fat of the land in the enterprise. We will continue to see an increase in cross-platform malware, similar to the malware we've seen in this specific campaign. By writing cross-platform malware, attackers only need to write one file to attack both platforms. Also, attackers tend to follow the money. With more enterprises using Macs, there is more of a motivation to go after them.”