Hackers Use Google Cloud Storage to Deliver Remcos RAT, Bypass Email Security
Key Takeaways Threat actors are leveraging Google Cloud Storage (GCS) to host malicious files, evading typical email security measures. The campaign primarily delivers the Remcos Remote Access Trojan...
Key Takeaways
- Threat actors are leveraging Google Cloud Storage (GCS) to host malicious files, evading typical email security measures.
- The campaign primarily delivers the Remcos Remote Access Trojan (RAT) via phishing emails targeting various organizational sectors.
- The use of GCS links and a legitimate-looking executable,
RegSvcs.exe, allows the malware to bypass many signature-based detection systems. - Organizations should treat GCS links with extreme caution and enhance behavioral analysis and employee training.
Hackers Exploit Google Cloud Storage to Distribute Remcos RAT, Bypass Email Defenses
Cyber adversaries are actively exploiting Google Cloud Storage (GCS) infrastructure to host and distribute malicious payloads, effectively circumventing conventional email security protocols. This sophisticated campaign delivers the Remcos Remote Access Trojan (RAT) to targeted organizations across diverse sectors, initiating attacks through carefully crafted phishing emails.
Table Of Content
Phishing as the Initial Vector
The attack chain begins with recipients receiving phishing emails containing a malicious link. This link redirects users to a Google Cloud Storage bucket, where a ZIP archive containing the malware awaits download. This method leverages the inherent trust often associated with legitimate cloud service providers like Google, making the malicious links appear less suspicious than those pointing to unknown domains.
Evasion Techniques and Malware Delivery
Once a user clicks the link and downloads the ZIP archive, the threat actors exploit a critical blind spot in many endpoint protection tools. A key component of this attack involves the executable RegSvcs.exe, which, at the time of analysis, maintains a clean reputation on VirusTotal. This clean status allows the malware to proceed almost undetected by signature-based security solutions, as documented in a detailed report accessible via this research report. This necessitates a shift towards more robust behavioral monitoring to detect the post-click activities that betray the malware’s true intent.
What You Should Do
- Exercise Extreme Caution with Cloud Storage Links: Treat any link originating from
storage.googleapis.comwith the same skepticism as an unfamiliar domain. Do not rely solely on the platform’s reputation to guarantee content safety. - Implement Advanced Behavioral Analysis: Enhance security postures with tools capable of observing and analyzing post-click activities. Behavioral analysis is significantly more effective than signature-based detection in identifying these sophisticated threats.
- Conduct Targeted Employee Training: Educate employees, particularly those in high-value roles such as finance, procurement, and leadership, on the specific tactics of cloud-storage phishing lures. Emphasize the importance of never downloading files from unexpected login prompts or suspicious cloud links.
- Isolate and Test Suspicious Files: Always test suspicious JavaScript and other script files in an isolated, sandboxed environment before allowing them to run on any production system.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.