Carbanak Group uses Google for malware command-and-control

Google Apps Script is being leveraged for malware C&C communication, writes Carl Leonard, head of Forcepoint Labs

In 2015, the Carbanak Gang, now infamous cyber criminals, pulled off a billion dollar cyber heist - in what would be the first-of-many known criminal activities by the group - putting them on the radar of many security researchers around the globe.

In recent weeks, Forcepoint Security Labs has been investigating a new threat which we’ve tied to Carbanak Group, one which alarmingly utilises Google Apps Script for command and control (C&C) communication. The use of a third party service like Google, allows the malware to hide in plain sight and successfully function, often not blocked by default in most systems as it appears to be a trusted source.

Forcepoint are now working with Google to ensure they are fully informed of the attack and have the right mitigation strategies in place.

Who are Carbanak?

Carbanak (also known as Anunak) are now understood to be a group of financially motivated criminals who typically steal from financial institutions using targeted malware. However, over the years since their discovery, targets have included a range of victims, from the financial industry to the hospitality industry and more. Recently, a new Carbanak attack campaign dubbed "Digital Plagiarist" was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware.

These attacks have typically involved advanced persistent threat (APT) – style campaign targeting. APT campaigns, which involve malware operating undetected in vulnerable systems over long periods of time, and are typically very covert with external command and control systems continuously monitoring and extracting data from the target.

What threat has been investigated?

The latest findings by Forcepoint Security Labs have shown how the cyber threat posed by Carbanak is constantly evolving. The most recent investigations which we tied to the Carbanak criminal gang have uncovered a trojanized RTF document. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware, however the most concerning finding was that the recent samples of the malware have now included the ability to use Google services for C&C communication an evolution of the previous external C&C communication.

Below, we’ve included an overview of the stages involved in these attacks, as well as preventative measures organisations can take to protect themselves.

About the weaponised document

The RTF document we analyzed has an embedded OLE object which contains a VBScript file. When the document is opened the targeted user is lured into double-clicking on the embedded OLE object which is disguised as an image.


Double clicking on the image results in a file open dialog for "unprotected.vbe", if the user executes this file then the VBScript malware will begin to execute.

Abusing Google for C&C Communication

The script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.

The C&C procedure is outlined in the diagram below.


How to get protected

Thankfully, is possible to avoid these attacks by choosing the right security software. A good tool will protect its users by defending against malicious action at two stages of the attack; Firstly, users should look for a tool that offers heuristic-based file scanning and sandboxing, this will prevent the malware components from being downloaded and/or executed at the ‘dropper file’ stage (stage 5) of an attack. Secondly, these attacks can be stopped at the ‘call home’ stage (stage 6), where the HTTP-based Carbanak C&C traffic can be blocked, users should ensure their tool offers real-time content analysis of web traffic to defend against malicious threats.

In Summary

The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation. Once compromised, a system affected by command-and-control malware can receive communications to complete malicious actions, such as remote control or data exfiltration to the attacker.

For more detail on technical specificities of the research findings, you can read Forcepoint’s detailed blog post here. To learn more about tools that protect against this threat, see here. Forcepoint will continue to monitor this group's activities and share data with trusted partners.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Forcepoint

More about APTForcepointGoogle

Show Comments

Market Place