When Trust Becomes a Weapon: Google Cloud Storage Phishing Deploying Remcos RAT

Key Takeaways

• Attackers are abusing trusted Google Cloud Storage infrastructure to bypass email filters and host convincing Google Drive phishing pages.
• The attack chain utilizes a multi-stage process involving obfuscated JS, VBS, and PowerShell scripts to evade static detection.
• Malware achieves execution via process hollowing of the legitimate Microsoft binary RegSvcs.exe to run Remcos RAT entirely in memory.
• The campaign poses a dual threat by harvesting user credentials before delivering the Remcos RAT payload.
• Remcos RAT establishes persistence via the Registry and provides attackers with full remote control, keylogging, and data exfiltration capabilities.

Affected Systems

• Windows OS
• Google Workspace users (targeted)

Attack Chain

The attack begins with a phishing email containing a link to a fake Google Drive login page hosted on Google Cloud Storage. After harvesting user credentials, the page prompts the download of a malicious JavaScript file ('Bid-Packet-INV-Document.js'). When executed, this JS file uses time-based evasion and launches a multi-stage VBScript chain that establishes startup persistence and drops components into an AppData folder. A subsequent PowerShell script loads an obfuscated .NET loader from Textbin into memory, which then performs process hollowing on a copy of the legitimate Microsoft binary 'RegSvcs.exe' to execute the Remcos RAT payload filelessly. Finally, Remcos establishes a C2 connection and creates registry-based persistence.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: Yes
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ANY.RUN

YARA, Sigma, and Suricata rules are available within the ANY.RUN platform to detect Remcos RAT execution, process hollowing behaviors, and associated network traffic.

Detection Engineering Assessment

EDR Visibility: Medium — Initial script execution and process hollowing of RegSvcs.exe can be detected by modern EDRs, but the heavy obfuscation, fileless in-memory loading, and use of legitimate Microsoft binaries (LOLBins) may bypass static or reputation-based checks. Network Visibility: Medium — Initial phishing links use legitimate Google Cloud Storage domains, blending in with normal traffic. However, C2 communications from the Remcos RAT to known malicious IPs can be detected. Detection Difficulty: Hard — The attack leverages trusted infrastructure (Google Cloud Storage) for delivery and signed Microsoft binaries (RegSvcs.exe) for execution, making it difficult to distinguish from legitimate administrative or user activity without deep behavioral analysis.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Network Connections (Sysmon Event ID 3)
• Registry Events (Sysmon Event IDs 12, 13, 14)
• File Creation (Sysmon Event ID 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for wscript.exe executing JavaScript or VBScript files originating from user download directories.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Execution	Medium (Legitimate administrative scripts may run via wscript, but rarely from Downloads)
Identify instances of RegSvcs.exe executing from unusual directories such as %TEMP% or %APPDATA%.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Defense Evasion	Low (RegSvcs.exe typically executes from the Windows directory)
Monitor for unexpected registry modifications under HKEY_CURRENT_USER\Software\ targeting persistence mechanisms.	Registry Events (Sysmon Event IDs 12, 13, 14)	Persistence	Medium (Many applications write to HKCU\Software, requires filtering for known malicious patterns or unexpected keys like Remcos-{ID})

Control Gaps

• Reputation-based email filtering
• Static file analysis / traditional AV

Key Behavioral Indicators

• wscript.exe spawning from browsers or email clients
• RegSvcs.exe network connections
• In-memory loading of .NET assemblies via PowerShell (Assembly.Load)

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and associated domains at the perimeter.
• Search endpoint telemetry for execution of 'Bid-Packet-INV-Document.js' or 'DYHVQ.ps1'.
• Isolate any endpoints showing anomalous 'RegSvcs.exe' activity.

Infrastructure Hardening

• Implement application control to restrict the execution of wscript.exe and cscript.exe for standard users.
• Restrict the execution of LOLBins like RegSvcs.exe unless explicitly required by developers or administrators.

User Protection

• Deploy behavioral EDR solutions capable of detecting process hollowing and in-memory execution.
• Enhance email security with anti-phishing solutions that analyze link behavior rather than just domain reputation.

Security Awareness

• Train users to recognize phishing attempts hosted on legitimate cloud services (e.g., Google Drive, Dropbox).
• Educate employees on the dangers of downloading and executing unexpected script files (.js, .vbs) disguised as documents.

MITRE ATT&CK Mapping

• T1059.001 - PowerShell
• T1059.003 - Windows Command Shell
• T1059.005 - Visual Basic
• T1059.007 - JavaScript
• T1547.001 - Registry Run Keys / Startup Folder
• T1497.003 - Time Based Checks
• T1070.004 - File Deletion
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1071.001 - Web Protocols
• T1105 - Ingress Tool Transfer
• T1055.012 - Process Hollowing

Additional IOCs

• Ips:
  • 198[.]187[.]29[.]19 - Remcos C2 IP address identified in threat intelligence lookup.
• Domains:
  • pa-bids[.]storage[.]googleapis[.]com - Subdomain used to host Google Drive phishing pages.
  • com-bid[.]storage[.]googleapis[.]com - Subdomain used to host Google Drive phishing pages.
  • contract-bid-0[.]storage[.]googleapis[.]com - Subdomain used to host Google Drive phishing pages.
  • in-bids[.]storage[.]googleapis[.]com - Subdomain used to host Google Drive phishing pages.
  • out-bid[.]storage[.]googleapis[.]com - Subdomain used to host Google Drive phishing pages.
  • usmetalpowders[.]co - Domain associated with the Remcos campaign infrastructure.
  • plu[.]sh - Domain associated with the Remcos campaign infrastructure.
  • canadianpeacemakersint[.]org - Domain associated with the Remcos campaign infrastructure.
  • artcoreuk[.]com - Domain associated with the Remcos campaign infrastructure.
  • clawscustomboxes[.]co[.]uk - Domain associated with the Remcos campaign infrastructure.
  • www[.]millinerwears[.]com - Domain associated with the Remcos campaign infrastructure.
• Urls:
  • hxxps://usmetalpowders[.]co/1a/uh.php - URL associated with the Remcos campaign infrastructure.
• Registry Keys:
  • HKEY_CURRENT_USER\Software\Remcos-{ID} - Remcos RAT persistence key.
• File Paths:
  • %APPDATA%\WindowsUpdate - Folder used by the second-stage VBScript to drop components.
  • %TEMP%\RegSvcs.exe - Path where the legitimate RegSvcs.exe is created or started for process hollowing.
  • C:\Users\admin\Downloads\Bid Packet INV - Document.js - Path of the initial downloaded malicious JavaScript file.
  • C:\Users\admin\AppData\Local\Temp\wpbmuoizgsc.vbs - Path of the second-stage VBScript file.
• Command Lines:
  • Purpose: Execution of the initial malicious JavaScript payload | Tools: wscript.exe | Stage: Execution | wscript.exe <path>\Bid Packet INV - Document.js
  • Purpose: Execution of the second-stage VBScript payload | Tools: wscript.exe | Stage: Execution | wscript.exe //B <path>\wpbmuoizgsc.vbs
  • Purpose: Execution of the hollowed process containing Remcos RAT | Tools: RegSvcs.exe | Stage: Defense Evasion | <path>\RegSvcs.exe
• Other:
  • ZIFDG.tmp - Obfuscated portable executable containing the Remcos RAT payload.