Malware analysis/ anti-virus firms Forcepoint and Trustwave recently investigated malicious documents sent as email attachments (malicious Microsoft Word document attachments; RTFs) tied to the Carbank criminal gang, infamous for stealing billions of dollars from banks by infecting anything from ATM machines to point of sale (POS) devices. The interesting thing about this cyber attack was that the Trojan exchanged information with the attacker through Google servers and hence was able to keep  the entire intrusion under the radar while being able to bypass strict enterprise network firewall rules, since traffic to Google is generally white-listed by most organisations.

Forcepoint claims that they have notified Google of this activity and are working with them to share additional information. A request for comment from Google was not returned in time for publication.

 

The nature of the attack

As is typical of such cyber attacks, mails containing infected documents come from unknown senders and are made to look like it is from someone you might know (spear phishing). Do note that such emails are not getting forwarded from people on your contact list but rather from unknown senders who make the emails look similar to mails from someone you may trust. For example, domain prsnewwire[.]com instead of  prnewswire.com. In the case discussed above, attackers actually called up their victims over the phone (social engineering) in order to trick staff, mostly in  the hospitality and retail sectors of Europe and North America, into opening the attachment.

Your computer doesn’t get affected if you just receive the mail. You have to click on the MS Word attachment file to either view or download it. In this particular case, you also had to fall into the trap of double-clicking on the embedded OLE object which is disguised as an image  of an envelope (see below). Double clicking on the image results in a file open dialog for ‘unprotected.vbe’. Only if  the user executes this file does the Visual Basic (VB) Script malware begin to execute.

ONLY CLICKING THIS OPENS THE NEXT DIALOG

Only when you click on “open”, the VB script runs and drops malware on your computer

The VB script in turn runs a JavaScript file. Google Apps Script is a JavaScript cloud scripting language that provides ways to automate tasks across Google products and third party services and build web applications. A script written using it creates a Google form for each infected victim. The values fed into the Google form gets stored in a Google spreadsheet by default and the data exfiltrated from any given infected victim gets stored there and is subject to monitoring by the attacker. (For those who wish to understand more about how Google forms and sheets are used and can be linked, please scroll to the postscript at the end of the article for a graphic explanation.)

But it does more…

In addition to manually collecting data sent back from the target’s computer into the spreadsheet, the attacker also loads the spreadsheet with commands and additional malware that is pushed into the victim’s machine. Malicious code used in these operations was split among memory resident code, scripting code (PowerShell, JavaScript, VB Script), executables (often variants of existing malware) and finally usage of customized versions of toolkits such as Metasploit, PowerSploit and Veil Framework. The image below illustrates an example of how PowerShell commands are loaded by the attacker into the Google form/spreadsheet, and are retrieved by the Trojan virus from a Google spreadsheet. 
Encoded PowerShell commands are retrieved from Google Spreadsheet

 

In the final analysis

With this development we are seeing the rise of particularly malicious trojans that are not just more difficult to attribute to a particular source, but also keep exfiltrating data post infection, regardless of the nature of the firewalls you may have in place. Exercising extreme caution both online and offline may be the only way ahead, to mitigate this pernicious threat.

 

Postscript-   How Google forms are created and its feed linked to Google spreadsheets (explained graphically)

1. A Google form is created

2. A spreadsheet is created and linked. Data fed into form by respondents gets stored in spreadsheet.

In this case, the creation of spreadsheet is done automatically via a script.

 

Scripts can be used to create forms and also push data into the forms/sheets


© Delhi Defence Review. Reproducing this content in full without permission is prohibited.