Security Vulnerability
January 23, 2017 by

Bank Heist Cybercriminal Gang Found Using Google Services for Malware Operations

The Carbanak cybercriminal gang, the hacker group behind a cumulative theft of over a billion dollars from over 100 banks in 2015 has been found abusing a number of Google services to issue command and control (C&C) communications.

Security researchers at Forcepoint Security Labs have discovered that the Carbanak Group have been using Google services for command and control while hiding in plain sight. The discovery was made during a routine investigation into an active exploit sent in phishing emails that saw an RTF attachment.

In a blog post, senior security researcher Nicholas Griffin at Forcepoint wrote:

The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.

The Carbanak Group (also known as Anunak) were first exposed as a financially motivated cybercriminal group in 2015. They operate by targeting financial institutions with malware.

In this particular instance, the RTF document featured an OLE object embedded within the RTF attachment that pointedly contained a VBScript (Visual Basic Script), previously associated with the Carbanak malware. This VBScript typically uses a social engineering ploy to trick victims into clicking on the image of an envelope that would then ‘unlock the contents’. A dialog box pops up, asking if the victim wants to run a file titled unprotected.vbe.

If the file is executed, Carbanak’s VBScript malware will see itself triggered. From here, the malware then proceeds to send and receive commands “to and from” Google services such as Google Apps Script, Google Sheets and Google Forms services.

For every infected user, a unique Google Sheets spreadsheet is created, dynamically, in order to manage each victim.

Researchers added:

The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.

Google has been notified of the concern by Forcepoint and there is an active effort to curb the abuse of its services by the Carbanak cybercriminal group.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Holiday P2P Platforms Targeted by CyberCriminals

 A report has revealed that peer-to-peer (P2P) media platforms related to holiday media have...

Read more arrow_forward

Kaspersky Provides More Information on the Sandworm APT Team

The Kaspersky team has recently provided more information on the (presumably) Russian APT group...

Read more arrow_forward