The infamous Russian Carbanak cybercrime gang has begun using various Google services for its command and control (C&C) communications, enabling it to hide in plain sight, according to Forcepoint.
The cybersecurity firm recently investigated a weaponized RTF document which, when opened, uses social engineering to trick the recipient into clicking on an envelope image to “unlock the contents.”
However, doing so brings up a dialog box asking if the user then wants to open the file unprotected.vbe.
If they do that, then VBScript malware typical of the Carbanak group will execute.
However, Forcepoint also discovered a new 'ggldr' script module encoded inside the main VBScript file, capable of utilizing Google services for its C&C comms.
“The ‘ggldr’ script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user, a unique Google Sheets spreadsheet is dynamically created in order to manage each victim,” explained senior security researcher, Nick Griffin.
“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.”
As such, the ploy represents a much better chance of success than registering random new domains, or domains with no reputation, he argued.
Forcepoint has notified Google and is working with the web giant on this particular abuse of its services.
But the trend of using legitimate web services to hide C&C communications is increasingly widespread.
Just last year, researchers discovered an Android botnet that uses Twitter instead of traditional C&C servers.
Carbanak has been around since at least 2013, when it was found using advanced APT techniques to steal up to $1 billion from 100 banks worldwide over a two-year period.
In March last year it reappeared with an apparent focus on the Middle East, Europe and the US.