Cybercrime gang “Carbanak” is now using Google infrastructure to act as a Command and Control (C&C) for weaponized documents, according to Forcepoint Security Labs.
Lab researchers found a trojanized RTF document that includes an encoded Visual Basic Script (VBScript), called the ‘ggldr’ script, that looks typical of Carbanak malware.
The new attack method infects users through a script that will send and receive commands both to and from Google Apps Script, Google Sheets and Google Forms.
Forcepoint says that it’s unlikely that organisations block these Google services by default, so attackers can easily establish a C&C – essentially hiding in plain sight.
“The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation,” says Nicholas Griffin on the company’s blog.
The company says it has informed Google of the abuse and they have been working together to share more information. Forcepoint is also monitoring Carbanak’s activities.
The Carbanak gang was first discovered in 2015. They typically use targeted malware attacks to steal from financial institutions, but they have been branching out into distributing malware through weaponized office documents hosted on mirrored domains.