sb-as logo
Story image

Notorious cybercrime gang targeting Google Apps for C&C attacks

26 Jan 2017

Cybercrime gang “Carbanak” is now using Google infrastructure to act as a Command and Control (C&C) for weaponized documents, according to Forcepoint Security Labs.

Lab researchers found a trojanized RTF document that includes an encoded Visual Basic Script (VBScript), called the ‘ggldr’ script, that looks typical of Carbanak malware.

The new attack method infects users through a script that will send and receive commands both to and from Google Apps Script, Google Sheets and Google Forms.

Forcepoint says that it’s unlikely that organisations block these Google services by default, so attackers can easily establish a C&C – essentially hiding in plain sight.

“The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation,” says Nicholas Griffin on the company’s blog

The company says it has informed Google of the abuse and they have been working together to share more information. Forcepoint is also monitoring Carbanak’s activities.

The Carbanak gang was first discovered in 2015. They typically use targeted malware attacks to steal from financial institutions, but they have been branching out into distributing malware through weaponized office documents hosted on mirrored domains.

Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More
Story image
CrowdStrike acquires Preempt Security for $96m, develops zero trust security offerings
With this acquisition, the company plans to offer customers enhanced Zero Trust security capabilities and strengthen the CrowdStrike Falcon platform with conditional access technology. More
Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login’ phishing email.More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More