By rssfeeds-admin By hosting malicious HTML pages on Google Cloud Storage rather than on newly registered domains, threat actors effectively bypass traditional reputation-based security filters.
This campaign begins as a deceptive Google Drive lure that tricks victims into handing over sensitive credentials, then initiates a complex, multi-stage malware-delivery process.
Multi-Stage Infection Chain
The initial JavaScript file operates as a Windows Script Host (WSH) launcher. It employs time-based evasion techniques to avoid immediate detection in automated analysis environments.
This script smoothly transitions to the first Visual Basic Script (VBS) stage, which downloads additional components and executes them silently in the background.
The attack relies on a precise sequence of events to establish a strong foothold on the compromised machine:
- The second VBS stage copies files to the %APPDATA%WindowsUpdate directory and establishes persistence in the Windows Startup folder.
- A PowerShell script orchestrates the loading phase to pull down the necessary obfuscated payloads.
- An obfuscated executable acts as the staging ground for the final malware.
- A .NET loader hosted on Textbin is pulled and executed directly in system memory.
Bypassing Detection With Legitimate Binaries
One of the most dangerous aspects of this campaign is its abuse of legitimate Microsoft files to hide the final payload.
The attackers leverage RegSvcs.exe, a fully legitimate, signed .NET binary native to Windows.
Because this file is authentic, it has a clean hash on threat intelligence platforms like VirusTotal, making it invisible to basic file-reputation checks and lowering alert priority during triage.
Instead of dropping a recognizable malware executable onto the hard drive, the attackers copy RegSvcs.exe into the temporary folder.
They then use a technique called process hollowing to inject the malicious Remcos RAT code directly into the memory space of this trusted binary.
This results in a partially fileless infection. To the operating system and many security monitors, it appears to be a standard Microsoft service running normally, while in reality, the hidden Remcos RAT is actively connecting to its Command and Control (C2) server.
According to LinkedIn research, because file reputation alone is insufficient to stop this threat, security teams must adapt their defensive strategies. Detecting this campaign relies heavily on behavioral analysis and advanced sandboxing.
Security Operations Centers (SOCs) should monitor for unusual script execution, unexpected network connections originating from native Windows binaries, and anomalous memory allocations indicative of process hollowing.
By tracking known Indicators of Compromise (IOCs) and pivoting through threat intelligence platforms, organizations can validate their detection coverage and contain these stealthy incidents faster.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Remcos RAT Deployed Through New Google Storage Phishing Campaign appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.