Attackers have been observed abusing Google Firebase Hosting infrastructure using the notorious Sorillus Remote Access Trojan (RAT) and phishing attacks.
This new threat was observed in and hears The Security Operations Center (SOC) has detected suspicious code within a manufacturing customer’s network.
A security expert described the emerging threat as follows: Recommendation Published on July 13, 2023, the article states that the attackers are using Firebase Hosting due to its ability to hide malicious content.
“In a recent incident in June 2023, our [SOC] We have been warned of suspicious code being written to the endpoint registry of a manufacturing customer’s network,” the blog post reads.
“Investigation has identified a phishing page being served using the Sorillus RAT and smuggled HTML files and links using Google’s Firebase Hosting service.”
Specifically, the attackers used Firebase’s legitimacy to distribute the Sorillus RAT, a Java-based commercial malware that facilitates remote access and data theft.
Read more about Firebase Security: Thousands of mobile apps expose user data via cloud misconfiguration
The attack began with victims opening a phishing email enticing them to open a seemingly harmless tax-themed file. The attachment concealed a Java payload that ran her Sorillus RAT on the victim’s system.
Additionally, our research uncovered a heavily obfuscated phishing kit that relied heavily on Google Firebase Hosting. This phishing campaign utilized multiple cloud services, including Cloudflare, to create a compelling Microsoft 365 login page.
As mentioned earlier, attackers have taken advantage of the trustworthiness of these cloud platforms to bypass security filters and automated scanners, making detection difficult.
eSentire’s Threat Response Unit (TRU) provided key insights and recommendations for defending against these advanced attacks.
They emphasized the importance of keeping antivirus signatures up to date and deploying next generation antivirus and endpoint detection and response (EDR) tools. In addition, he suggested removing Java from the system that is not needed and configuring the system to open potentially dangerous files with caution.
The eSentire blog post states that ESET New mobile RAT based on oh myth Infects Android devices.
