Google Cloud Storage weaponized for clandestine Remcos RAT delivery

Threat actors have been abusing Google Cloud Storage to host phishing pages that covertly deploy the Remcos RAT malware as part of a multi-stage attack campaign, reports Cyber Security News.

Intrusions commence with the distribution of malicious emails linking to webpages hosted on the legitimate storage.googleapis.com domain that masquerade as Google Drive login screens, according to an ANY.RUN analysis. Approving a sign-in to view a document triggers the harvesting of email addresses, passwords, and one-time passcodes and the downloading of a JavaScript file, which results in the delivery of Remcos RAT. Apart from facilitating keystroke logging, screenshot capturing, microphone and webcam compromise, credential theft, and remote file transfers, Remcos RAT also ensures persistence through entries written into the Windows Registry.

With the use of Integrate TI Feeds maintaining the stealth of the campaign's attack chain, organizations' security teams have been urged to not only be more vigilant of storage.googleapis.com links but also implement behavioral analysis systems that track post-click activity.