Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/23/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google File Cabinet Plays Host to Malware Payloads

Researchers detect a new drive-by download attack in which Google Sites' file cabinet template is a delivery vehicle for malware.

Update: This story has been updated effective April 26, 2019 to reflect Google's statement.

Cybercriminals have been using the file cabinet template built into Google Sites to deliver the banking Trojan LoadPCBanker to victims who speak Portuguese and/or are based in Brazil, security researchers report.

Netskope Threat Research Labs noticed this attack in early April, largely because of the method of deployment. "This [attack] was one that caught our eye because the delivery system was interesting," says Netskope architect Raymond Canzanese. Unlike Google services like Gmail, which block malicious file uploads, Google File Cabinet doesn't seem to have any such limits.

Google Sites is a legacy platform historically used to build simple websites. A separate functionality called Google File Cabinet is used to upload files to be hosted on a website. Cybercriminals are now using File Cabinet to upload malware to websites and send the links to victims via phishing emails. Victims who click the links — which are displayed with Google URLs — are taken to attackers' websites. There, they are presented with a malicious executable, typically a PDF disguised as a guesthouse or hotel reservation, Canzanese says.

Researchers think the adversaries are relying on Google's brand trustworthiness. People have an "implicit trust" in vendors like Google, Netskope's Ashwin Vamshi wrote in a blog post. "As a result, they are more likely to fall victim to an attack launched from within a Google service."

Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. The emails will also bypass filters designed to block bad attachments before they arrive in victims' inboxes.

The attack kill chain for LoadPCBanker starts with a first-stage parent downloader, which downloads next-stage payloads from a file hosting site. Next-stage payloads collect screenshots, clipboard data, and keystrokes from victims. All of the collected data is exfiltrated to the attackers' server using SQL, which Canzanese notes is another interesting trait of this threat.

"It's not something we see a lot of," he says of the SQL exfiltration. Researchers don't think it's a sign of attacker sophistication; rather, they see it as a sign the intruders are trying to blend in. This way, exfiltrated information blends in with standard SQL traffic and may not be detected.

LoadPCBanker: Old Threat Resurfaces
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Minor changes have been made over the years; however, there have been no major additions or edits to LoadPCBanker's functionality, Canzanese says.

It seems these attackers are going after Brazil-based or Portuguese-speaking targets, based on an executable discovered with a Portuguese name. While researchers can't speak to the total number of targets, they did determine an approximate number being actively surveilled.

"In the time we've been watching this, we've only seen 20 users actively being surveilled," says Canzanese. The attackers have taken screenshots from victims' machines and tracked their keylogging, potentially trying to obtain user credentials. The targets' IP addresses indicate they're scattered all over Brazil; there is no sign a specific business is being singled out.

Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. It's unclear whether they're getting caught and shutting down, or being cautious and trying to evade detection. Canzanese anticipates the latter is more likely.

Analysis shows this latest wave of attacks has been going on since February 2019. It's possible the same attacker is behind LoadPCBanker incidents in 2014 and 2019; however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame.

"We haven't been able to find anything that indicates it's been the same actor using it," he notes, adding that attribution is difficult without more concrete evidence. The team also doesn't have sufficient evidence to confirm this is the work of another attacker or group.

Update: Google has responded to this story with the following: "Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chrome's Safe Browsing filters," according to a spokesperson.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:20:38 PM
Many attackers?
however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame. My guess is that many attackers behind this as it is smart and effective. Just a guess.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:18:43 PM
Since 2014
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Yes. There is not much you can do if phishing attack but relying on awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:16:23 PM
Credentials
Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. This may be because they want their trace not out there. Easy to rotate credentials.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:14:31 PM
Google
Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. This makes really good sense. Most trust google so just click the link.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:13:06 PM
Google File Cabinet
As the article points out this is not Google File Cabinet vulnerability but attacker doing phishing attack on googles trusted brand.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...