The Carbanak cybercriminal gang, the hacker group behind a cumulative theft of over a billion dollars from over 100 banks in 2015 has been found abusing a number of Google services to issue command and control (C&C) communications.
Security researchers at Forcepoint Security Labs have discovered that the Carbanak Group have been using Google services for command and control while hiding in plain sight. The discovery was made during a routine investigation into an active exploit sent in phishing emails that saw an RTF attachment.
In a blog post, senior security researcher Nicholas Griffin at Forcepoint wrote:
The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.
The Carbanak Group (also known as Anunak) were first exposed as a financially motivated cybercriminal group in 2015. They operate by targeting financial institutions with malware.
In this particular instance, the RTF document featured an OLE object embedded within the RTF attachment that pointedly contained a VBScript (Visual Basic Script), previously associated with the Carbanak malware. This VBScript typically uses a social engineering ploy to trick victims into clicking on the image of an envelope that would then ‘unlock the contents’. A dialog box pops up, asking if the victim wants to run a file titled unprotected.vbe.
If the file is executed, Carbanak’s VBScript malware will see itself triggered. From here, the malware then proceeds to send and receive commands “to and from” Google services such as Google Apps Script, Google Sheets and Google Forms services.
For every infected user, a unique Google Sheets spreadsheet is created, dynamically, in order to manage each victim.
The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.
Google has been notified of the concern by Forcepoint and there is an active effort to curb the abuse of its services by the Carbanak cybercriminal group.
Image credit: Pixabay.