Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/23/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Google File Cabinet Plays Host to Malware Payloads

Researchers detect a new drive-by download attack in which Google Sites' file cabinet template is a delivery vehicle for malware.

Update: This story has been updated effective April 26, 2019 to reflect Google's statement.

Cybercriminals have been using the file cabinet template built into Google Sites to deliver the banking Trojan LoadPCBanker to victims who speak Portuguese and/or are based in Brazil, security researchers report.

Netskope Threat Research Labs noticed this attack in early April, largely because of the method of deployment. "This [attack] was one that caught our eye because the delivery system was interesting," says Netskope architect Raymond Canzanese. Unlike Google services like Gmail, which block malicious file uploads, Google File Cabinet doesn't seem to have any such limits.

Google Sites is a legacy platform historically used to build simple websites. A separate functionality called Google File Cabinet is used to upload files to be hosted on a website. Cybercriminals are now using File Cabinet to upload malware to websites and send the links to victims via phishing emails. Victims who click the links — which are displayed with Google URLs — are taken to attackers' websites. There, they are presented with a malicious executable, typically a PDF disguised as a guesthouse or hotel reservation, Canzanese says.

Researchers think the adversaries are relying on Google's brand trustworthiness. People have an "implicit trust" in vendors like Google, Netskope's Ashwin Vamshi wrote in a blog post. "As a result, they are more likely to fall victim to an attack launched from within a Google service."

Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. The emails will also bypass filters designed to block bad attachments before they arrive in victims' inboxes.

The attack kill chain for LoadPCBanker starts with a first-stage parent downloader, which downloads next-stage payloads from a file hosting site. Next-stage payloads collect screenshots, clipboard data, and keystrokes from victims. All of the collected data is exfiltrated to the attackers' server using SQL, which Canzanese notes is another interesting trait of this threat.

"It's not something we see a lot of," he says of the SQL exfiltration. Researchers don't think it's a sign of attacker sophistication; rather, they see it as a sign the intruders are trying to blend in. This way, exfiltrated information blends in with standard SQL traffic and may not be detected.

LoadPCBanker: Old Threat Resurfaces
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Minor changes have been made over the years; however, there have been no major additions or edits to LoadPCBanker's functionality, Canzanese says.

It seems these attackers are going after Brazil-based or Portuguese-speaking targets, based on an executable discovered with a Portuguese name. While researchers can't speak to the total number of targets, they did determine an approximate number being actively surveilled.

"In the time we've been watching this, we've only seen 20 users actively being surveilled," says Canzanese. The attackers have taken screenshots from victims' machines and tracked their keylogging, potentially trying to obtain user credentials. The targets' IP addresses indicate they're scattered all over Brazil; there is no sign a specific business is being singled out.

Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. It's unclear whether they're getting caught and shutting down, or being cautious and trying to evade detection. Canzanese anticipates the latter is more likely.

Analysis shows this latest wave of attacks has been going on since February 2019. It's possible the same attacker is behind LoadPCBanker incidents in 2014 and 2019; however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame.

"We haven't been able to find anything that indicates it's been the same actor using it," he notes, adding that attribution is difficult without more concrete evidence. The team also doesn't have sufficient evidence to confirm this is the work of another attacker or group.

Update: Google has responded to this story with the following: "Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chrome's Safe Browsing filters," according to a spokesperson.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:20:38 PM
Many attackers?
however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame. My guess is that many attackers behind this as it is smart and effective. Just a guess.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:18:43 PM
Since 2014
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Yes. There is not much you can do if phishing attack but relying on awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:16:23 PM
Credentials
Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. This may be because they want their trace not out there. Easy to rotate credentials.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:14:31 PM
Google
Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. This makes really good sense. Most trust google so just click the link.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:13:06 PM
Google File Cabinet
As the article points out this is not Google File Cabinet vulnerability but attacker doing phishing attack on googles trusted brand.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...