Google File Cabinet Plays Host to Malware Payloads

Researchers detect a new drive-by download attack in which Google Sites file cabinet template is a delivery vehicle for malware.

Update: This story has been updated effective April 26, 2019 to reflect Googles statement.
Cybercriminals have been using the file cabinet template built into Google Sites to deliver the banking Trojan LoadPCBanker to victims who speak Portuguese and/or are based in Brazil, security researchers report.
Netskope Threat Research Labs noticed this attack in early April, largely because of the method of deployment. This [attack] was one that caught our eye because the delivery system was interesting, says Netskope architect Raymond Canzanese. Unlike Google services like Gmail, which block malicious file uploads, Google File Cabinet doesnt seem to have any such limits.
Google Sites is a legacy platform historically used to build simple websites. A separate functionality called Google File Cabinet is used to upload files to be hosted on a website. Cybercriminals are now using File Cabinet to upload malware to websites and send the links to victims via phishing emails. Victims who click the links — which are displayed with Google URLs — are taken to attackers websites. There, they are presented with a malicious executable, typically a PDF disguised as a guesthouse or hotel reservation, Canzanese says.
Researchers think the adversaries are relying on Googles brand trustworthiness. People have an implicit trust in vendors like Google, Netskopes Ashwin Vamshi wrote in a
blog post
. As a result, they are more likely to fall victim to an attack launched from within a Google service.
Further, Canzanese adds, targets may be more likely to click a Google link than a malicious attachment, which many employees are now trained to avoid. The emails will also bypass filters designed to block bad attachments before they arrive in victims inboxes.
The attack kill chain for LoadPCBanker starts with a first-stage parent downloader, which downloads next-stage payloads from a file hosting site. Next-stage payloads collect screenshots, clipboard data, and keystrokes from victims. All of the collected data is exfiltrated to the attackers server using SQL, which Canzanese notes is another interesting trait of this threat.
Its not something we see a lot of, he says of the SQL exfiltration. Researchers dont think its a sign of attacker sophistication; rather, they see it as a sign the intruders are trying to blend in. This way, exfiltrated information blends in with standard SQL traffic and may not be detected.
LoadPCBanker: Old Threat Resurfaces
While this particular series of attacks was found in April 2019, researchers say similar malware has been around since early 2014. Minor changes have been made over the years; however, there have been no major additions or edits to LoadPCBankers functionality, Canzanese says.
It seems these attackers are going after Brazil-based or Portuguese-speaking targets, based on an executable discovered with a Portuguese name. While researchers cant speak to the total number of targets, they did determine an approximate number being actively surveilled.
In the time weve been watching this, weve only seen 20 users actively being surveilled, says Canzanese. The attackers have taken screenshots from victims machines and tracked their keylogging, potentially trying to obtain user credentials. The targets IP addresses indicate theyre scattered all over Brazil; there is no sign a specific business is being singled out.
Interestingly, it seems the attackers are rotating their database credentials every few weeks, Canzanese says. Its unclear whether theyre getting caught and shutting down, or being cautious and trying to evade detection. Canzanese anticipates the latter is more likely.
Analysis shows this latest wave of attacks has been going on since February 2019. Its possible the same attacker is behind LoadPCBanker incidents in 2014 and 2019; however, Canzanese says its also possible the source code has been reused by multiple attackers in the same time frame.
We havent been able to find anything that indicates its been the same actor using it, he notes, adding that attribution is difficult without more concrete evidence. The team also doesnt have sufficient evidence to confirm this is the work of another attacker or group.
Update:
Google has responded to this story with the following: Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chromes Safe Browsing filters, according to a spokesperson.
Related Content:
Exploits for Adobe Vulnerabilities Spiked in 2018
7 Ways to Get the Most from Your IDS/IPS
Trojanized TeamViewer Used in Targeted Attacks Against Multiple Embassies
Tips for the Aftermath of a Cyberattack

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google File Cabinet Plays Host to Malware Payloads