Malware analysis/ anti-virus firms Forcepoint and Trustwave recently investigated malicious documents sent as email attachments (malicious Microsoft Word document attachments; RTFs) tied to the Carbank criminal gang, infamous for stealing billions of dollars from banks by infecting anything from ATM machines to point of sale (POS) devices. The interesting thing about this cyber attack was that the Trojan exchanged information with the attacker through Google servers and hence was able to keep the entire intrusion under the radar while being able to bypass strict enterprise network firewall rules, since traffic to Google is generally white-listed by most organisations.
Forcepoint claims that they have notified Google of this activity and are working with them to share additional information. A request for comment from Google was not returned in time for publication.
The nature of the attack
As is typical of such cyber attacks, mails containing infected documents come from unknown senders and are made to look like it is from someone you might know (spear phishing). Do note that such emails are not getting forwarded from people on your contact list but rather from unknown senders who make the emails look similar to mails from someone you may trust. For example, domain prsnewwire[.]com instead of prnewswire.com. In the case discussed above, attackers actually called up their victims over the phone (social engineering) in order to trick staff, mostly in the hospitality and retail sectors of Europe and North America, into opening the attachment.
Your computer doesn’t get affected if you just receive the mail. You have to click on the MS Word attachment file to either view or download it. In this particular case, you also had to fall into the trap of double-clicking on the embedded OLE object which is disguised as an image of an envelope (see below). Double clicking on the image results in a file open dialog for ‘unprotected.vbe’. Only if the user executes this file does the Visual Basic (VB) Script malware begin to execute.
Only when you click on “open”, the VB script runs and drops malware on your computer
But it does more…
Encoded PowerShell commands are retrieved from Google Spreadsheet
In the final analysis
With this development we are seeing the rise of particularly malicious trojans that are not just more difficult to attribute to a particular source, but also keep exfiltrating data post infection, regardless of the nature of the firewalls you may have in place. Exercising extreme caution both online and offline may be the only way ahead, to mitigate this pernicious threat.
Postscript- How Google forms are created and its feed linked to Google spreadsheets (explained graphically)
1. A Google form is created
2. A spreadsheet is created and linked. Data fed into form by respondents gets stored in spreadsheet.
In this case, the creation of spreadsheet is done automatically via a script.
Scripts can be used to create forms and also push data into the forms/sheets
© Delhi Defence Review. Reproducing this content in full without permission is prohibited.