Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/23/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google File Cabinet Plays Host to Malware Payloads

Researchers detect a new drive-by download attack in which Google Sites' file cabinet template is a delivery vehicle for malware.

Update: This story has been updated effective April 26, 2019 to reflect Google's statement.

Cybercriminals have been using the file cabinet template built into Google Sites to deliver the banking Trojan LoadPCBanker to victims who speak Portuguese and/or are based in Brazil, security researchers report.

Netskope Threat Research Labs noticed this attack in early April, largely because of the method of deployment. "This [attack] was one that caught our eye because the delivery system was interesting," says Netskope architect Raymond Canzanese. Unlike Google services like Gmail, which block malicious file uploads, Google File Cabinet doesn't seem to have any such limits.

Google Sites is a legacy platform historically used to build simple websites. A separate functionality called Google File Cabinet is used to upload files to be hosted on a website. Cybercriminals are now using File Cabinet to upload malware to websites and send the links to victims via phishing emails. Victims who click the links — which are displayed with Google URLs — are taken to attackers' websites. There, they are presented with a malicious executable, typically a PDF disguised as a guesthouse or hotel reservation, Canzanese says.

Researchers think the adversaries are relying on Google's brand trustworthiness. People have an "implicit trust" in vendors like Google, Netskope's Ashwin Vamshi wrote in a blog post. "As a result, they are more likely to fall victim to an attack launched from within a Google service."

Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. The emails will also bypass filters designed to block bad attachments before they arrive in victims' inboxes.

The attack kill chain for LoadPCBanker starts with a first-stage parent downloader, which downloads next-stage payloads from a file hosting site. Next-stage payloads collect screenshots, clipboard data, and keystrokes from victims. All of the collected data is exfiltrated to the attackers' server using SQL, which Canzanese notes is another interesting trait of this threat.

"It's not something we see a lot of," he says of the SQL exfiltration. Researchers don't think it's a sign of attacker sophistication; rather, they see it as a sign the intruders are trying to blend in. This way, exfiltrated information blends in with standard SQL traffic and may not be detected.

LoadPCBanker: Old Threat Resurfaces
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Minor changes have been made over the years; however, there have been no major additions or edits to LoadPCBanker's functionality, Canzanese says.

It seems these attackers are going after Brazil-based or Portuguese-speaking targets, based on an executable discovered with a Portuguese name. While researchers can't speak to the total number of targets, they did determine an approximate number being actively surveilled.

"In the time we've been watching this, we've only seen 20 users actively being surveilled," says Canzanese. The attackers have taken screenshots from victims' machines and tracked their keylogging, potentially trying to obtain user credentials. The targets' IP addresses indicate they're scattered all over Brazil; there is no sign a specific business is being singled out.

Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. It's unclear whether they're getting caught and shutting down, or being cautious and trying to evade detection. Canzanese anticipates the latter is more likely.

Analysis shows this latest wave of attacks has been going on since February 2019. It's possible the same attacker is behind LoadPCBanker incidents in 2014 and 2019; however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame.

"We haven't been able to find anything that indicates it's been the same actor using it," he notes, adding that attribution is difficult without more concrete evidence. The team also doesn't have sufficient evidence to confirm this is the work of another attacker or group.

Update: Google has responded to this story with the following: "Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chrome's Safe Browsing filters," according to a spokesperson.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:20:38 PM
Many attackers?
however, Canzanese says it's also possible the source code has been reused by multiple attackers in the same time frame. My guess is that many attackers behind this as it is smart and effective. Just a guess.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:18:43 PM
Since 2014
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Yes. There is not much you can do if phishing attack but relying on awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:16:23 PM
Credentials
Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. This may be because they want their trace not out there. Easy to rotate credentials.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:14:31 PM
Google
Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. This makes really good sense. Most trust google so just click the link.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2019 | 3:13:06 PM
Google File Cabinet
As the article points out this is not Google File Cabinet vulnerability but attacker doing phishing attack on googles trusted brand.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.