The Carbanak cyber gang has been found abusing diverse Google services to termination command too command (C&C) communications for monitoring too controlling the machines of unsuspecting malware victims.
Forcepoint Security Labs researchers said Tuesday that piece investigating an active exploit sent inwards phishing messages every bit an RTF attachment, they discovered that the Carbanak group has been hiding inwards patently site past times using Google services for command too control.
"The Carbanak actors hold to expect for stealth techniques to evade detection," Forcepoint's senior safety researcher Nicholas Griffin said inwards a blog post. "Using Google every bit an independent C&C channel is in all probability to endure to a greater extent than successful than using newly created domains or domains amongst no reputation."The RTF document features an embedded OLE object that contains a VBScript (Visual Basic Script), which is previously associated amongst the Carbanak malware, too uses social applied scientific discipline to play a trick on victims into clicking on an envelope paradigm to "unlock the contents."
If the victim runs the file, Carbanak's VBScript malware volition instruct executed, and, according to Forcepoint, the malware volition "send too have commands to too from Google Apps Script, Google Sheets, too Google Forms services."
Besides VBScript malware, Forcepoint researchers likewise discovered a novel 'ggldr' script module encoded within the primary VBScript file along amongst diverse other VBScript modules, capable of using Google services every bit a command too command channel.
"The ‘ggldr’ script volition ship too have commands to too from Google Apps Script, Google Sheets, too Google Forms services," "For each infected user a unique Google Sheets spreadsheet is dynamically created to create practise each victim," Griffin said.
"The role of a legitimate 3rd political party service similar this i gives the assaulter the might to shroud inwards patently sight. It is unlikely that these hosted Google services are blocked past times default inwards an organization, then it is to a greater extent than in all probability that the assaulter volition institute a C&C channel successfully."Forcepoint researchers consider it is in all probability that the hacking grouping is using Google services because these services are allowed past times default at many companies too organizations, which makes it easier for hackers to exfiltrate information too ship instructions.
Carbanak, likewise known every bit Anunak, is i of the some successful cybercriminal operations inwards the the world too is a highly organized grouping that continually evolves its tactics to demeanour out cyber offense piece avoiding detection past times potential targets too the authorities.
The grouping was start exposed inwards 2015 every bit financially-motivated cybercriminals targeting mainly fiscal institutions. Since it started operating inwards 2013, Carbanak has stolen upwards of $1 Billion from to a greater extent than than 100 banks across the globe.
Forcepoint has already notified Google of the issue, too its researchers are working amongst the spider web engineering giant on this detail abuse of its legitimate spider web services.
