Google File Cabinet Plays Host to Malware Payloads

Researchers detect a new drive-by download attack in which Google Sites’ file cabinet template is a delivery vehicle for malware.

Cybercriminals have been using the file cabinet template built into Google Sites to deliver the banking Trojan LoadPCBanker to victims who speak Portuguese and/or are based in Brazil, security researchers report.

Netskope Threat Research Labs noticed this attack in early April, largely because of the method of deployment. “This [attack] was one that caught our eye because the delivery system was interesting,” says Netskope architect Raymond Canzanese. Unlike Google services like Gmail, which block malicious file uploads, Google File Cabinet doesn’t seem to have any such limits.

Google Sites is a legacy platform historically used to build simple websites. A separate functionality called Google File Cabinet is used to upload files to be hosted on a website. Cybercriminals are now using File Cabinet to upload malware to websites and send the links to victims via phishing emails. Victims who click the links — which are displayed with Google URLs — are taken to attackers’ websites. There, they are presented with a malicious executable, typically a PDF disguised as a guesthouse or hotel reservation, Canzanese says.

Researchers think the adversaries are relying on Google’s brand trustworthiness. People have an “implicit trust” in vendors like Google, Netskope’s Ashwin Vamshi wrote in a blog post. “As a result, they are more likely to fall victim to an attack launched from within a Google service.”

Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. The emails will also bypass filters designed to block bad attachments before they arrive in victims’ inboxes.

The attack kill chain for LoadPCBanker starts with a first-stage parent downloader, which downloads next-stage payloads from a file hosting site. Next-stage payloads collect screenshots, clipboard data, and keystrokes from victims. All of the collected data is exfiltrated to the attackers’ server using SQL, which Canzanese notes is another interesting trait of this threat.

“It’s not something we see a lot of,” he says of the SQL exfiltration. Researchers don’t think it’s a sign of attacker sophistication; rather, they see it as a sign the intruders are trying to blend in. This way, exfiltrated information blends in with standard SQL traffic and may not be detected.

LoadPCBanker: Old Threat Resurfaces
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Minor changes have been made over the years; however, there have been no major additions or edits to LoadPCBanker’s functionality, Canzanese says.

It seems these attackers are going after Brazil-based or Portuguese-speaking targets, based on an executable discovered with a Portuguese name. While researchers can’t speak to the total number of targets, they did determine an approximate number being actively surveilled.

“In the time we’ve been watching this, we’ve only seen 20 users actively being surveilled,” says Canzanese. The attackers have taken screenshots from victims’ machines and tracked their keylogging, potentially trying to obtain user credentials. The targets’ IP addresses indicate they’re scattered all over Brazil; there is no sign a specific business is being singled out.

Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. It’s unclear whether they’re getting caught and shutting down, or being cautious and trying to evade detection. Canzanese anticipates the latter is more likely.

Analysis shows this latest wave of attacks has been going on since February 2019. It’s possible the same attacker is behind LoadPCBanker incidents in 2014 and 2019; however, Canzanese says it’s also possible the source code has been reused by multiple attackers in the same time frame.

“We haven’t been able to find anything that indicates it’s been the same actor using it,” he notes, adding that attribution is difficult without more concrete evidence. The team also doesn’t have sufficient evidence to confirm this is the work of another attacker or group.

Related Content:

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

Read More HERE

Leave a Reply