A recent phishing campaign has emerged, leveraging Google Cloud Storage to distribute the Remcos Remote Access Trojan (RAT) to unsuspecting users worldwide. This campaign exploits the inherent trust users and security tools place in Google’s infrastructure, making detection and blocking at the network level significantly challenging.
Exploiting Trusted Infrastructure
Phishing attempts have long relied on deception, but this particular campaign escalates the tactic by embedding a malicious HTML page directly on Google Cloud Storage. This page is hosted on the googleapis.com domain, a trusted and recognized Google service, which allows it to bypass most email security gateways and web filters without raising suspicion.
The phishing emails sent to targets include links leading directly to these Google-hosted pages. These pages are cleverly designed to mimic the legitimate Google Drive document-sharing interface. Once a user clicks the link and interacts with the page, the infection process is initiated silently in the background.
Advanced Evasion Techniques
Analysts from ANY.RUN have uncovered this sophisticated phishing operation, highlighting how it effectively uses trusted cloud infrastructure to circumvent conventional security measures. Their analysis shows that the campaign’s attack chain is meticulously crafted to avoid detection at every stage, from the initial phishing email to the execution of the malicious payload on the victim’s device. Hosting malicious content on a Google domain stands as the campaign’s most effective evasion strategy.
Remcos RAT, the payload in this campaign, is a commercially available remote administration tool developed by Breaking Security. While it is marketed for legitimate remote management and penetration testing, cybercriminals have frequently repurposed it for unauthorized surveillance and data theft. Active since 2016, Remcos remains a persistent threat due to continuous updates and improvements.
Precautionary Measures
The potential reach of this campaign is extensive. Any individual or organization receiving an email with a link to Google Storage could be at risk, regardless of their security knowledge. The campaign’s deceptive design, which closely mimics Google’s services, poses a threat even to cautious users who might not realize the danger until it is too late.
The infection chain involves multiple stages, each carefully planned to complicate detection and delay analysis. It begins with a phishing email carrying a link to a fraudulent HTML page on googleapis.com, designed to appear as a legitimate shared document prompt. Interaction with this page triggers a download of a compressed archive from attacker-controlled servers, which contains a dropper component that executes silently via Windows scripting engines. This leads to the retrieval and execution of the Remcos RAT payload, using techniques like process hollowing to avoid detection.
To mitigate risks, security teams are advised to monitor unusual outbound connections to googleapis.com and enforce strict script execution policies. Implementing behavioral endpoint detection and thoroughly scanning all email links, regardless of their apparent legitimacy, are effective measures to reduce exposure. Additionally, users should be educated to verify the authenticity of unexpected emails and links, even those seemingly from trusted platforms like Google Drive.
