Threat actors using Google computing platform (GCP) to deliver the malware through malicious PDF files. The attack targeting governments and financial firms worldwide.
According to Netskope Threat Research Labs detected the targeted based on its 42 customers instances and likely the attacks to be launched by the infamous hacking group Cobalt Strike.
Last year Cybercriminals abusing legitimate Google Cloud Storage services to host the malicious payload and delivered to compromise the organization networks through bypassing the security controls.
In this campaign attackers used traditional email Crafted in a way to appear like a legitimate one and carries the malicious PDF document as an attachment in the mail.
The PDF’s found to be created with Adobe Acrobat and they contain HTTPS URL’s in a compressed form and all the decoys used in delivering the payload.
“The targeted attack is more convincing than the traditional attacks and these attacks carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.”
Attackers abused the GoogleApp Engine URL and redirects the victim to download the malware hosted sites, which makes the victim’s to be beleived that they are downloading from the trusted source.
URL Redirection – Google Cloud Computing
According ot Netskope illustration on the decoy URL is accessed by the user, it logs out form appengine.google.com and generates a 302 status code of redirection.
once this action is triggered it redirects the user to google.com/logout?continue=, by using those redirection logic threat actors make the victim’s to reach the destination landing page and downloads Doc102018[.]doc to the victim machine.
Eventhough it is an unvalidated redirect GCP App Engine application successfully validated all the redirection and delivers the payload to victim’s machine.
Threat actors abused the Unvalidated Redirects and Forwards vulnerability with GCP App Engine and redirects victims to download the to a malicious appended URL hosting the malicious payload, reads netskope report.
Downloaded txt document “fr[.]txt” exploits uses native windows application Microsoft Connection Manager Profile Installer to download and execute the payload, researchers call it a Squiblydoo technique.
“Based on our threat intelligence research, more than 20 other banking, government and financial institutions were targeted with the same attack via phishing emails sent by the attackers posing as legitimate customers of those institutions says netskope.”