The infamous Carbanak cybercrime gang responsible for hacking and stealing money from financial insitutions in 2015 recently resurfaced with a new modus operandi: using Google services for command-and-control of its malware.
Researchers from Forcepoint Security Labs today detailed new activity they spotted by the Carbanak gang that employs Google's Apps Script, Sheets, and Forms cloud-based services to send and receive commands for its malware. Forcepoint recently spotted Carbanak using a trojanized RTF document with an encoded Visual Basic script.
"For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight," Forcepoint wrote in a blog post today.
Carbanak, which was first discovered by researchers at Kaspersky Lab, is an international cybercrime ring based out of Eastern Europe that pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.
Forcepoint says it has notified Google about Carbanak's fraud via Google services. Click here for more information.