What We Do
How We Do
Resources
Company
Partners
Get Started
Blog

Google Firebase Hosting Abused to Deliver Sorillus RAT, Phishing Page

BY eSentire Threat Response Unit (TRU)

July 13, 2023 | 7 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In a recent case in June 2023, our Security Operations Center was alerted to suspicious code written to registry in an endpoint in a manufacturing customer’s network. The investigation identified Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.

What is Google Firebase Hosting?

Google Firebase Hosting is a cloud-based hosting service provided by Google as part of its Firebase platform that allows developers to easily deploy and serve web applications and static websites.

Projects are hosted as a subdomain to either “web.app” or “firebaseapp.com” and are automatically configured with SSL and served using Google’s Content Delivery Network (CDN) edge servers.

Figure 1 Snippet from https://firebase.google.com/docs/hosting


These factors make identifying malicious content using metadata such as domain age, reputation or SSL certificate details difficult since they are tied to a generic Google service. A cursory look at Twitter mentions involving “web.app” and the terms “phishing” or “malware” yields around three thousand tweets, primarily from researchers reporting malicious content abusing the platform. These mentions have seen a noted increase since September 2022.

A look at submissions to VirusTotal yields 20,000+ *.web.app subdomains with ten or more security vendors reporting malicious content such as phishing or malware.

Figure 2 VirusTotal search results for subdomains hosted on Firebase Hosting classified as malicious by at least 10 security vendors.

Sorillus RAT Activity

Sorillus RAT is a Java-based and cross-platform commercial malware offering various information stealing and remote access capabilities.

Figure 3 Example of Sorillus capabilities from the control panel.


In this case, Sorillus was delivered to the victim via an email containing a tax-themed zip file (tax-document.zip). The zip contained an HTML file called “2022tax-extension.html” that smuggled the Java payload Tax-document_PDF.jar (MD5: e93b8dddfc9715f1785ff8f554d538a8).

When clicked, the .jar file is executed by the Java executable (if present on the system) then writes a copy of itself to %AppData%\Roaming\Microsoft\.tmp\ with the extension .tmp and defines a registry run key called “Home” to execute the Java payload when the user logs in.

Figure 4 Sorillus registry run key.


Examining the decompiled Jar file, we see multiple obfuscated class files:

Figure 5 Decompiled class files.


These contain hints at the program’s RAT-like functionality:

Figure 6 Strings common with remote access malware found among obfuscated code.


The root folder holds a file titled “checksum” which contains the RAT’s configuration:

Figure 7 Configuration file. Sorillus has been known to use decoy configs in the past, but that doesn't appear to be the case here.


Unfortunately, during subsequent analysis the original zip file could not be retrieved due to lack of telemetry. Open-source analysis of similar Sorillus samples using Tax-themed lures around the time yielded several samples (1,2,3) which utilized Firebase Hosting for delivering the zip payloads:

Sorillus Attribution and Adwind Confusion

Initially, analysts mistook this RAT as Adwind, an older commercial Java-based RAT with similar capabilities. Sandbox analysis of samples identified network traffic as Adwind, but little else matched previously known samples, particularly the configuration file shown in Figure 6. Certain class files (such as the one shown in Figure 5) and network traffic matched our previous Sorillus observations, leading us to believe this was an updated version of Sorillus.

Figure 8 Snippet of C2 traffic from a public sandbox analysis for a similar sample.


Sorillus 6.1 was released on January 19, 2023, and added new features including support for loading dynamic configuration settings via Pastebin.

Figure 9 Snippet from V6.1 Release Video https://www.youtube.com/watch?v=P-TqclpeXsw


We identified a cracked version 6.1 leaked on Telegram on June 9th, and another uploaded to VirusTotal on May 31st. Examining the latter, we confirmed the configuration file produced by the control panel matches those samples seen in the wild.

Figure 10 Sorillus control panel configuration settings and subsequent configuration file written to the payload.


The latest version provides several information stealing capabilities, including browser credentials.

Figure 11 Uploading the password stealing plugin to the victim machine.


It claims to extract credentials from Chromium-based browsers such as Chrome and Edge, which we were able to confirm on the latest Chrome build.

Figure 12 Stored credentials were successfully exfiltrated from the latest Chrome build (insert).

Highly Obfuscated Phishing Page Rendered Using Code from Multiple Cloud Services

During our investigation, we identified the victim had also opened with and interacted with a phishing kit that heavily relied on Firebase Hosting for its components. The activity occurred just minutes prior to the Sorillus RAT activity but was likely unrelated. The phishing page used an invoice-themed HTM document “invoice.statemtent.htm” delivered to the victim via email (similar files on VirusTotal enjoy extremely low detection rates).

The HTM file contains multiple layers of obfuscation and uses a decoding function ('_0x175d' in Figure _9 below) to rearrange and decode elements of array ‘_0xa2cc’ based on hex characters passed as parameters when the function is invoked.

Figure 13 Obfuscated JavaScript code found in HTM file. Similar JS is found in subsequent script files.


This appears to dynamically construct new HTML code when the HTM file is opened in the browser, as demonstrated in Figure 10.

Figure 14 Encoded strings passed to function shown in Figure 9. This string returns a link to additional code hosted on Cloudflare.


Multiple obfuscated JavaScript files are ultimately loaded from vinapsminznusx[.]web[.]app and wispy-dawn-ea24.porschea50[.]workers[.]dev and are used to dynamically render a Microsoft 0365 login page using web content pulled from Microsoft (acctcdn.msftauth.net/images/).

Interestingly, the workers.dev domain is a domain extension provided by Cloudflare for their Cloudflare Workers platform. Cloudflare Workers is a serverless computing platform that allows developers to run JavaScript code on Cloudflare's network of data centers.

To summarize, this phishing kit uses a local HTM file to pull highly obfuscated JavaScript components from Google and Cloudflare cloud computing services before rendering the phishing page using real brand assets from Microsoft.

Figure 15 0ffice 365 phishing page.


An example of this phishing attack can be seen at https://www.joesandbox.com/analysis/887395/0/html#deviceScreen.

How did we find it?

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU) Team:

Indicators of Compromise

Indicator

Note

osaomnc[.]web[.]app

Firebase Hosting Sorillus Zip Payloads

savuom[.]web[.]app

canmond[.]web[.]app

e93b8dddfc9715f1785ff8f554d538a8

Sorillus Java Payload Tax-document_PDF.jar

185.196.220.62

Sorillus C2

vinapsminznusx[.]web[.]app

Hosting various JS components for phishing pages

wispy-dawn-ea24.porschea50[.]workers[.]dev

5f74bc4dc4ed13805295ae2f249450bb

“Invoice.Statemtent.htm” phishing HTM files

eb1974840d85530ce42928edb27a2884

9251ca090c5b4d7fe7e309b5f8bbd0cf

66a13a6998a62bda15082b09980ca053

29fc65f116072a072d52dac21d33335f

2e277b66aed7aa20d399f115f4a7a2f8

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire