Google Firebase Hosting Abused to Deliver Sorillus RAT, Phishing Page

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In a recent case in June 2023, our Security Operations Center was alerted to suspicious code written to registry in an endpoint in a manufacturing customer’s network. The investigation identified Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.

What is Google Firebase Hosting?

Google Firebase Hosting is a cloud-based hosting service provided by Google as part of its Firebase platform that allows developers to easily deploy and serve web applications and static websites.

Projects are hosted as a subdomain to either “web.app” or “firebaseapp.com” and are automatically configured with SSL and served using Google’s Content Delivery Network (CDN) edge servers.

These factors make identifying malicious content using metadata such as domain age, reputation or SSL certificate details difficult since they are tied to a generic Google service. A cursory look at Twitter mentions involving “web.app” and the terms “phishing” or “malware” yields around three thousand tweets, primarily from researchers reporting malicious content abusing the platform. These mentions have seen a noted increase since September 2022.

A look at submissions to VirusTotal yields 20,000+ *.web.app subdomains with ten or more security vendors reporting malicious content such as phishing or malware.

Sorillus RAT Activity

Sorillus RAT is a Java-based and cross-platform commercial malware offering various information stealing and remote access capabilities.

In this case, Sorillus was delivered to the victim via an email containing a tax-themed zip file (tax-document.zip). The zip contained an HTML file called “2022tax-extension.html” that smuggled the Java payload Tax-document_PDF.jar (MD5: e93b8dddfc9715f1785ff8f554d538a8).

When clicked, the .jar file is executed by the Java executable (if present on the system) then writes a copy of itself to %AppData%\Roaming\Microsoft\.tmp\ with the extension .tmp and defines a registry run key called “Home” to execute the Java payload when the user logs in.

Examining the decompiled Jar file, we see multiple obfuscated class files:

These contain hints at the program’s RAT-like functionality:

The root folder holds a file titled “checksum” which contains the RAT’s configuration:

Unfortunately, during subsequent analysis the original zip file could not be retrieved due to lack of telemetry. Open-source analysis of similar Sorillus samples using Tax-themed lures around the time yielded several samples (1,2,3) which utilized Firebase Hosting for delivering the zip payloads:

• canmond[.]web[.]app/W2_and_1095A.zip
• savuom[.]web[.]app/Tax-documents.zip
• osaomnc[.]web[.]app/Tax-document.zip

Sorillus Attribution and Adwind Confusion

Initially, analysts mistook this RAT as Adwind, an older commercial Java-based RAT with similar capabilities. Sandbox analysis of samples identified network traffic as Adwind, but little else matched previously known samples, particularly the configuration file shown in Figure 6. Certain class files (such as the one shown in Figure 5) and network traffic matched our previous Sorillus observations, leading us to believe this was an updated version of Sorillus.

Sorillus 6.1 was released on January 19, 2023, and added new features including support for loading dynamic configuration settings via Pastebin.

We identified a cracked version 6.1 leaked on Telegram on June 9^th, and another uploaded to VirusTotal on May 31^st. Examining the latter, we confirmed the configuration file produced by the control panel matches those samples seen in the wild.

The latest version provides several information stealing capabilities, including browser credentials.

It claims to extract credentials from Chromium-based browsers such as Chrome and Edge, which we were able to confirm on the latest Chrome build.

Highly Obfuscated Phishing Page Rendered Using Code from Multiple Cloud Services

During our investigation, we identified the victim had also opened with and interacted with a phishing kit that heavily relied on Firebase Hosting for its components. The activity occurred just minutes prior to the Sorillus RAT activity but was likely unrelated. The phishing page used an invoice-themed HTM document “invoice.statemtent.htm” delivered to the victim via email (similar files on VirusTotal enjoy extremely low detection rates).

The HTM file contains multiple layers of obfuscation and uses a decoding function ('_0x175d' in Figure _9 below) to rearrange and decode elements of array ‘_0xa2cc’ based on hex characters passed as parameters when the function is invoked.

This appears to dynamically construct new HTML code when the HTM file is opened in the browser, as demonstrated in Figure 10.

Multiple obfuscated JavaScript files are ultimately loaded from vinapsminznusx[.]web[.]app and wispy-dawn-ea24.porschea50[.]workers[.]dev and are used to dynamically render a Microsoft 0365 login page using web content pulled from Microsoft (acctcdn.msftauth.net/images/).

Interestingly, the workers.dev domain is a domain extension provided by Cloudflare for their Cloudflare Workers platform. Cloudflare Workers is a serverless computing platform that allows developers to run JavaScript code on Cloudflare's network of data centers.

To summarize, this phishing kit uses a local HTM file to pull highly obfuscated JavaScript components from Google and Cloudflare cloud computing services before rendering the phishing page using real brand assets from Microsoft.

An example of this phishing attack can be seen at https://www.joesandbox.com/analysis/887395/0/html#deviceScreen.

How did we find it?

• MDR for Endpoint identified suspicious code loaded into registry and subsequent investigation identified the phishing attack.

What did we do?

• Our team of 24/7 SOC Cyber Analysts isolated the host and alerted the customer while an investigation took place.

What can you learn from this TRU Positive?

• Cloud services can be an effective way to defeat reputation-based security filters. For example, a link such as hxxps://osaomnc[.]web[.]app/Tax-document.zip would contain generic registration and SSL certificate attributes linking it to Google services.
  • This not only inherits those trusted (or known good) reputation attributes, it also makes threat detection based on characteristics like domain registration age nearly impossible.
• Storing individual code components in separate cloud services (Google and Cloudflare in this case) makes detection by automated scanners more difficult, since only partial functionality is revealed to each provider. It also creates redundancy should either provider remove code or accounts in isolation.
• Tax-themed lures remain extremely popular during spring and early summer. The lures seen here are aimed at tax filing extensions after the April deadline.

Recommendations from our Threat Response Unit (TRU) Team:

• Protect endpoints against malware by:
  • Ensuring antivirus signatures are up-to-date.
  • Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.
• Consider removing Java on systems where it is not needed.
• Consider creating a new “Open With” parameters for .jar files so they open with notepad.exe. This setting is found in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options.
  • Applying this to other script files (.js, .jse, .hta, .vbs) is also recommended for most users to limit the risk of click-to-execute content.

Indicators of Compromise