"Sorillus RAT and Phishing Attacks Exploit Google Firebase Hosting"

According to security researchers at eSentire, attackers have been observed using the notorious Sorillus remote access trojan (RAT) and phishing attacks to exploit Google Firebase Hosting infrastructure.  The researchers stated that the attackers have been using Firebase Hosting due to its ability to obscure malicious content.  In a recent case in June 2023, the researchers were alerted to suspicious code written to the registry in an endpoint in a manufacturing customer's network.  The investigation identified Sorillus RAT and a phishing page being delivered using HTML smuggled files and links using Google's Firebase Hosting service.  The researchers noted that attackers particularly capitalized on Firebase's legitimacy to deliver the Sorillus RAT, a Java-based commercial malware that facilitates remote access and data theft.  The attack started with victims opening a phishing email that enticed them to open a seemingly innocuous tax-themed file.  The attachment concealed a Java payload that executed the Sorillus RAT on the victim's system.  The researchers stated that the investigation uncovered an intricately obfuscated phishing kit that heavily relied on Google Firebase Hosting.  This phishing campaign utilized multiple cloud services, including Cloudflare, to craft a convincing Microsoft 365 login page.  The attackers leveraged the credibility of these cloud platforms to bypass security filters and automated scanners, making detection challenging.  The researchers emphasize the importance of keeping antivirus signatures up-to-date and adopting Next-Gen antivirus or endpoint detection and response (EDR) tools.  Furthermore, the researchers are suggesting removing Java from systems where unnecessary and configuring systems to open potentially dangerous files with caution.

Infosecurity reports: "Sorillus RAT and Phishing Attacks Exploit Google Firebase Hosting"