Malware Attack Using Google Cloud Computing Platform

Hackers have unleashed a global malware campaign using the Google cloud computing platform via weaponized PDF.

Security researchers at the Netskope Threat Research Labs have detected this malware attack, which mostly targeted the banking and finance sector. Government firms too have been targeted worldwide.

A recent Netskope blog post authored by Ashwin Vamshi states, “Netskope Threat Research Labs detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, we confirmed evidence of these attacks targeting governments and financial firms worldwide.”

Netskope researchers also found that several decoys seemed related to the threat actor group ‘Cobalt Strike’.

The Netskope blog post explains that the hackers executed the attack “…by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.” It adds, “This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.”

It was earlier this year that the Netskope team identified common detections, all of them eml files carrying .eml extension and with the same detection name, across 42 customers in the banking and finance sector. The detections triggered alerts in Netskope’s Outbreak Detection Systems, which made them investigate the matter. It was confirmed that the detections were triggered in the attachments of the eml files. Ashwin Vamshi writes, “Leveraging our Netskope Discovery and Netskope Active Introspection Alerts platforms, we discovered these attacks were abusing Google App Engine on the Google Cloud Platform (GCP) as a bait to deliver malware.”

In his blog post, Ashwin Vamshi also explains how the PDF decoys are delivered to the victims. He writes, “The PDF decoys traditionally arrive as email attachments to victims. The emails are crafted to contain legitimate content and deliver the malware from whitelisted sources. Often, such attachments are saved to cloud storage services, like Google Drive. Sharing these documents with other users can result in the occurrence of a secondary propagation vector like the CloudPhishing Fan-out Effect.”

Most of the PDF’s were found to be created using Adobe Acrobat 18.0 and contained the malicious URL in a compressed form in the PDF stream using Flat Decode (Filter/FlateDecode). The payload delivery was executed by all the decoys using HTTPS URLs.

The Netskope blog post also explains the URL redirection on the GCP App engine. Using an illustration, it’s shown how once the URL is accessed, the user is logged out from appengine.google.com. A response status code ‘302’ is then generated for URL redirection. Upon execution of this action, the user is redirected to google.com/url using the query “?continue=”. The illustration also shows how the destination landing page is reached using this redirection logic and Doc102018.doc is downloaded to the victim’s machine.

In all the cases that the Netskope team examined, the GCP App Engine application successfully validated the redirection and leading to the delivery of the payload to the victim’s machine. The appended URL being an unvalidated redirect, the hackers abused the feature by redirecting a victim to a malicious appended URL hosting the malicious payload.

The attackers take advantage of the “default allow” action in popular PDF readers to deploy multiple attacks and the user won’t be getting the security warning after the first alert. The Netskope blog post explains, “Generally, PDF readers prompt a security warning to the user when the document connects to a website. Once “remember this action for this site” is checked for a domain, this feature allows any URL within the domain without any prompt… By taking advantage of the “default allow” action in popular PDF readers, the attacker can easily deploy multiple attacks without getting the security warning after the first alert. It is also possible that appengine.google.com is whitelisted by the administrators for legitimate reasons. It also only warns the user that it is trying to connect to appengine.google.com, which looks benign at face value.”

It’s also explained how the malware is unleashed. The PDFs delivered to the users download Microsoft Word documents with Obfuscated macro code. On execution, the user gets a message saying that online preview is not available and hence requesting the user to enable editing and content mode to view the document. Once this option is enabled, the macro gets executed and another stage payload is downloaded from transef[.]biz/fr.txt. The hackers work by ensuring a smooth transition from one stage to another and thus the attack becomes hard to detect, investigate or mitigate. The downloaded text document fr.txt downloads and executes the payload using the native Windows application Microsoft Connection Manager Profile Installer (csmtp.exe) using what the researchers call a Squiblydoo technique. (This technique involves the loading of malicious scripts using native Windows applications and thereby bypassing application whitelisting solutions).

“Based on our threat intelligence research, more than 20 other banking, government and financial institutions were targeted with the same attack via phishing emails sent by the attackers posing as legitimate customers of those institutions. There were no discernible geographic patterns in organizations targeted — the targets were distributed worldwide,” reads the Netskope blog post.

The abuse has already been reported to Google.