Sorillus RAT and Phishing Attacks Exploit Google Firebase Hosting

Written by

Attackers have been observed using the notorious Sorillus remote access trojan (RAT) and phishing attacks to exploit Google Firebase Hosting infrastructure.

The novel threat was observed when eSentire's Security Operations Center (SOC) detected suspicious code in a manufacturing customer's network.

The security experts described the new threat in an advisory published on July 13, 2023, where they said attackers have been using Firebase Hosting due to its ability to obscure malicious content.

"In a recent case in June 2023, our [SOC] was alerted to suspicious code written to the registry in an endpoint in a manufacturing customer's network," reads the blog post.

"The investigation identified Sorillus RAT and a phishing page being delivered using HTML smuggled files and links using Google's Firebase Hosting service."

In particular, attackers capitalized on Firebase's legitimacy to deliver the Sorillus RAT, a Java-based commercial malware that facilitates remote access and data theft.

Read more on Firebase security: Thousands of Mobile Apps Expose User Data Via Cloud Misconfigurations

The attack started with victims opening a phishing email that enticed them to open a seemingly innocuous tax-themed file. The attachment concealed a Java payload that executed the Sorillus RAT on the victim's system.

Additionally, the investigation uncovered an intricately obfuscated phishing kit that heavily relied on Google Firebase Hosting. This phishing campaign utilized multiple cloud services, including Cloudflare, to craft a convincing Microsoft 365 login page. 

As mentioned above, the attackers leveraged the credibility of these cloud platforms to bypass security filters and automated scanners, making detection challenging.

The eSentire's Threat Response Unit (TRU) provided crucial insights and recommendations for defending against such sophisticated attacks. 

They emphasized the importance of keeping antivirus signatures up-to-date and adopting Next-Gen antivirus or endpoint detection and response (EDR) tools. Furthermore, they suggested removing Java from systems where unnecessary and configuring systems to open potentially dangerous files with caution.

The eSentire blog post comes a few months after ESET shared findings related to a new mobile RAT based on AhMyth infecting Android devices.

What’s hot on Infosecurity Magazine?