The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms.
The IT security researchers at Netskope have discovered a sophisticated malware campaign in which cybercriminals are abusing Google App Engine (GCP), a web framework and cloud computing platform to deliver malware via PDF decoys.
According to researchers, the malware campaign is currently targeting financial and government institutions especially banking giants on a global level. The evidence suggests that the mastermind of these attacks is Cobalt Strike, a group of cyber criminals previously known for malware attacks against financial firms.
It all started this month when the company witnessed several of its clients from the financial sector receiving emails containing .eml extension files that had the same detection name. Upon digging further, researchers confirmed that the .eml file attachments were triggering detection.
It is noteworthy these files downloaded with Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.
“The PDF decoy detected in our customer instances downloaded a word document named ‘Doc102018.doc’ containing obfuscated macro code…On execution, the victim is presented with a message to enable editing and content mode to view the document,” said Netskope researchers in their blog post.
In normal circumstances, PDF readers display a security warning whenever the document is connected to a website, however, “Once remember this action for this site” is checked for a domain, this feature allows any URL within the domain without any prompt especially in this case where the domain is appengine.google.com.
“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely.”
Researchers suggest that users should refrain from downloading unknown file attachments from anonymous emails and avoid executing them “unless they are very sure that they are benign.” Moreover, keeping your system updated, use anti-malware solution and scan URLs and files on VirusTotal.
This, however, is not the first time when a Google service has been abused to spread malware. A couple of days ago, researchers identified DarkHydrus phishery tool spreading a new variant of RogueRobin malware to target Middle Eastern politicians by abusing Google Drive.
Last year, HackRead exclusively reported how hackers are using Google Adwords and Google Sites to spread malware with a fake version of Google Chrome browser.
Moreover, in 2017, hackers were also found exploiting Google Search results to distribute Zeus Panda Banking trojan using SEO-malvertising and SERP Poisoning.
In October last year, researchers identified a strange and infrequent behavior at Googlebot servers where malicious requests were originating from them. After digging further, it was discovered that hackers were using Googlebots in cryptomining malware attacks.