Firebase, Google Apps Script Abused in Fresh Phishing Campaigns

Cybersecurity researchers are calling attention to two recently observed phishing campaigns caught abusing the legitimate services Firebase and Google Apps Script to lure unsuspecting users to malicious content.

In mid-May, Trellix said it identified a spear-phishing operation impersonating a Rothschild & Co employee to target financial executives at banks and energy, insurance, and investment organizations in Africa, Canada, Europe, the Middle East, and South Asia.

The malicious emails contained a fake brochure, identified as a webpage hosted on Firebase and hidden behind a math-quiz custom CAPTCHA. Once the challenge is solved, the victim is served a ZIP file that contains a VBS script.

The script was designed to silently install NetBird and OpenSSH on the victim’s system, to create a hidden local-admin account, and to enable RDP, providing the attackers with remote access to the machine.

The multi-stage attack was designed to evade detection from both defensive solutions and ...