Hacking group uses Google services to control malware

Carbanak, a powerful cyber-crime group, is using certain Google services as command and control for its malware and other malicious elements. The news was released by cybersecurity firm Forcepoint this week.

Forcepoint uncovered a trojanized RTF document, which, once ran, will "send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services."

Each infected user gets a unique Google Sheets spreadsheet, allowing the attackers to "manage" each victim. This approach allows the group two key advantages. One, it allows them to hide in plain sight, and, two, it’s highly unlikely that organizations will be blocking Google services by default, meaning the C&C can be set up successfully.

Forcepoint said it doesn’t know how many of these C&C channels were open, but it did notify Google.

"The Carbanak actors continue to look for stealth techniques to evade detection," Forcepoint says in its report. "Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation."

Carbanak was previously known for stealing up to a billion dollars, from more than 100 banks in 30 countries. The robbery was revealed in 2015.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Image Credit: Brian Klug / Flickr