A lately noticed phishing marketing campaign is abusing Google Cloud Storage to ship the Remcos distant entry trojan (RAT), counting on trusted Google infrastructure and a signed Microsoft binary to evade conventional defenses.
Attackers host a pretend Google Drive login web page on the professional area storage.googleapis.com, making the URL seem reliable to each customers and safety instruments.
As an alternative of registering their very own area, they add a crafted HTML web page that intently mimics Google’s interface and branding.
The operation highlights how reputation-based filtering alone is not sufficient to cease fashionable credential theft and malware supply.
The web page requests the sufferer’s electronic mail deal with, password, and one‑time passcode, successfully capturing full account entry. Utilizing Google’s infrastructure additionally helps phishing hyperlinks bypass some electronic mail filters and URL-reputation checks that favor nicely‑recognized cloud suppliers.
Multi‑stage an infection chain
After a “profitable” login, the positioning prompts the consumer to obtain a JavaScript file named Bid‑Packet‑INV‑Doc.js, offered as a doc or bid packet.
When executed, this script runs beneath Home windows Script Host, contains time‑based mostly evasion logic, and launches the subsequent stage VBS script.
The primary VBS stage downloads and silently runs one other VBS file, which drops parts beneath %APPDATApercentWindowsUpdate and configures Startup persistence so the malware survives reboot.
A PowerShell script, DYHVQ.ps1, then orchestrates the loading of an obfuscated moveable executable saved as ZIFDG.tmp, which incorporates the Remcos RAT payload.
To remain stealthy, the chain fetches an extra obfuscated .NET loader from a textual content‑internet hosting service (Textbin). It masses it instantly in reminiscence through Meeting.Load.
The .NET loader abuses RegSvcs.exe, a professional Microsoft .NET Companies Set up Instrument positioned within the framework listing, for course of hollowing.
As a result of RegSvcs.exe is signed by Microsoft and infrequently has a clear VirusTotal repute, its execution normally seems benign in endpoint logs.
The loader creates or begins RegSvcs.exe from %TEMP%, hollowing the method and injecting the Remcos payload in order that a lot of the malicious logic executes solely in reminiscence.
This ends in {a partially} fileless Remcos occasion that communicates with its command‑and‑management (C2) server whereas hiding behind a trusted course of identify.
Detection and protection suggestions
Safety groups shouldn’t rely solely on area or file repute when triaging alerts involving Google cloud domains or signed Home windows binaries.
Behavioral sandboxing and EDR telemetry are key: defenders ought to monitor for suspicious script chains (JS → VBS → PowerShell), uncommon creation of WindowsUpdate‑like folders in %APPDATA%, and RegSvcs.exe launching from atypical paths akin to %TEMP%.
Community controls ought to flag outbound connections following execution of scripting engines and newly spawned .NET processes, particularly when preceded by entry to storage.googleapis.com hyperlinks.
Lastly, consumer consciousness campaigns should emphasize that even hyperlinks pointing to nicely‑recognized cloud suppliers can host phishing pages and malware, and any surprising login prompts or script downloads from “Drive paperwork” must be handled with warning.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
