12-27-2018, 03:13 PM
![[Image: hacker-attacking-internet-picture-id5408...kr6AmshcU=]](https://media.istockphoto.com/photos/hacker-attacking-internet-picture-id540848970?k=6&m=540848970&s=612x612&w=0&h=2pd88Hmi4EoavM8hSa8AmlwsayLOKaqwRHkr6AmshcU=)
Recently, malicious actors utilized Google Cloud Storage services in order to host malicious payloads to breach the security of organization's networks via bypassing their security controls. Their main point of attack was Google Cloud Storage's service domain, [storage.googleapis.com] which is utilized by many companies all over the world.
This campaign mainly targeted employees of banks and other services in the financial sectors which are based in the US and UK, and it is speculated that this campaign has been in operation since August of this year. The attack was first initiated via email, these emails had phishing links attached to them. These links all pointed to a malicious website that was hosted on the Google Cloud. It was later analyzed by researchers that over 4,600 phishing sites used legit hosting services. This is known as [reputation jacking]; where a malicious site hides behind a legit and recognized hosting service.
The payloads themselves consisted of malicious obfuscated VBS scripts, these same scripts seemed to belong to the Houdini malware family, one file in particular, a JAR file [Swift invoice.har] belongs to the aforementioned malware family. There are other JAR files that are being looked over, and these ones may belong to the Qrat malware family.
That was the news folks, have a good week, and stay safe out there.
----Mad-Architect