Attackers Abuses Google Sites File Cabinets Template to Deliver Malware

computer security breach articles

Security researchers have discovered threat actors have been using Google sites file cabinets template to deliver banking malware named LoadPCBanker.

Google sites is a platform which can be used by anyone to build a simple website. The file cabinet allows you to upload images or documents to be hosted on the websites.

Now researchers at Netskope Threat Research Labs discovered a drive-by download attack in Google which leverages Google sites file cabinets template as the delivery vehicle.

Cybercriminals are using the file cabinet template to upload the malware to the websites and generate a malicious URL which will be sent to other victims via phishing emails.

Google sites file cabinets template
                                                                           Delivery mechanism of LoadPCBanker using google sites

The victims who click the links are redirected to attackers websites and where they are shown malicious executable pdf files in the name of a hotel reservation.

The malware attacking chain begins with a first stage parent downloader which downloads the next stage payloads from a file hosting website.

In the next stage, payloads collect screenshots, clipboard data, and keystrokes from the victim and use SQL as an exfiltration channel to send the data to the attacker’s server.

Researchers noted that threat actors leverage victims “implicit trust to vendors like Google. As a result, they are more likely to fall victim to an attack launched from within a Google service.”

In google service like Gmail, they block malicious file upload, but in Google File Cabinet they do not have such protection.

According to the analysis, Threat actors were seen targeting Brazil or Portuguese speaking individuals.

“During our analysis, we identified that the threat actor was particularly interested in surveilling a specific set of machines and capturing screenshots of the victims’ machines that were compromised from this attack. We derived this because we noticed a lot of infected machine responses, but only a few were being actively surveilled. At the time of writing, the threat actor was actively monitoring 20 infected hosts.”

For more details about the attack and malware, you can visit the blog post published by Netskope Threat Research Labs here.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Researchers Discovered New Victim of Powerful Triton Malware

Please rate this content