grandeduc - Fotolia

Carbanak gang using Google services for command and control

Researchers find the Carbanak gang has evolved its attacks on financial institutions to use Google services for command and control infrastructure in malware.

The infamous Carbanak gang may have been using Google cloud services as command and control infrastructure for malware embedded in malicious Office documents.

Nicholas Griffin, senior security researcher at Forcepoint Security Labs, said the company found a "trojanized RTF document" as part of a campaign using "weaponized office documents ... to distribute malware" and evade detection.

"The [VBScript] script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim," Griffin wrote in a blog post. "The use of a legitimate third-party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a [command and control] channel successfully."

Brian Hussey, global director of incident response and computer forensics at Trustwave, said he has seen "significant attack activity" from a group believed to be the Carbanak gang specifically targeting the U.S., Canada and Europe.

"The attacker does not have to directly connect to the victim network in order to update his malware or attack methodology. Scripts and commands can be dynamically updated on Google's Cloud servers, allowing for rapid pivoting capabilities," Hussey told SearchSecurity. "Additionally, the Google servers are always up, they use standard open ports, and they would be extremely difficult to black list. This all makes them very attractive for both issuing attacks and for exfiltration."

Carl Leonard, principal security analyst at Forcepoint, told SearchSecurity this tactic was akin to "hiding in plain sight, as most admins would not consider Google traffic to be involved in a malicious campaign."

Ajay Uggirala, director of product marketing at Imperva, said threat actors in general have become more likely to use "other devices and services to launch an attack campaign."

"This is evident from last year's DDoS attacks, such as the Mirai attack on Dyn and Liberia. The proliferation of IoT devices and open internet services are and will be used by cybercriminals to launch their attack campaigns," Uggirala told SearchSecurity. "Think of it this way: If a thief wants to rob a bank, they may steal a car as the drive-away vehicle. Any server, application or device that is open or can be manipulated is likely to be targeted by cybercriminals as a launch vehicle for their attack campaigns mainly to hide their tracks and because it is less expensive."

Forcepoint said they are working with Google to prevent the Carbanak gang and others from using its servers like this, but experts disagreed on how effective Google can be in this endeavor.

Hussey said stopping this is not easy, but "Google has very smart people working on this issue." 

"They need to remain accessible and open for their client base but still want to avoid any malicious usage. These dual requirements can conflict with each other," Hussey said. "Some of the other challenges are that the attackers are encoding their malicious scripts on the cloud servers using XOR and Base64. This makes it even more difficult to identify malicious scripts via automated scans."

John Bambenek, threat systems manager at Fidelis Cybersecurity, said it might be possible for Google to help victims in these attacks.

"The researchers in this case gave a great deal of information to Google and there are several fingerprints Google can search for in an automated fashion to prevent their system being used this way," Bambenek told SearchSecurity. "What is even more interesting is that Google could also effectively sinkhole the victims to help those organizations clean up their infections."

Ultimately though, experts agreed that despite the sophistication of the malware used by the Carbanak gang, enterprises need only worry about preventing the malicious Office document from being opened.

Hussey said stopping the initial attack vector is "ideal." 

"The attacker uses very persuasive social engineering techniques, so employee training, social engineering penetration tests, and segmenting the reservation or customer facing network from the internal network would all be beneficial," Hussey said. "Disabling Office macros is a good short-term fix. You've got to be able to respond and remediate rapidly. Secure Email technology to block phishing attacks is also a good addition to a security program." 

Bambenek agreed, and stressed the importance of security awareness. "Users should be wary of documents coming in from unknown sources and they should never allow VBE scripts to be run," he said. "The attack relied on users double-clicking on the embedded object, which would run the VBScript to start the chain of infection. Good security awareness is key and strong mail filtering to look for such objects and prevent them from being delivered to end users."

Next Steps

Learn more about choosing the right email security gateway.

Find out how a Carbanak malware attack caused nearly $1 billion in bank losses.

Get info on command and control servers and how they govern malware.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing