Netskope Threat Research Labs discovered an interesting drive-by download attack in Google. The threat actor involved in this attack initially deployed a Banking Trojan using the file cabinets template in Google sites as a delivery vehicle. The malware dubbed “LoadPCBanker” used SQL as an exfiltration channel to send the compromised victim data to the server.
There are two aspects of this attack that are noteworthy:
- First, users place an implicit trust to vendors like Google. As a result, they are more likely to fall victim to an attack launched from within a Google service.
- Second, whereas other services like Gmail block some malicious file uploads, Google File Cabinet does not appear to have any such protections.
This post describes our discovery and analysis of the attack and the malware payload. We will also conclude with some recommendations to help protect and remediate such threats.
Netskope Detection
Netskope Advanced Threat Protection detects the malware associated with this attack as Win32.LoadPCBanker.Gen.
Netskope customers can also create a policy to generically block all uploads and downloads from Google sites as shown in Figure 1.
Disclosure
Netskope reported the associated Google sites hosting malware using the report abuse option to Google on 12 April 2019.
Malware hosted Google Sites
We originally found the malware being delivered from the following Google Sites URL:https://sites.google[.]com/site/detailsreservations/Reserva-Manoel_pdf.rar?attredirects=0&d=1.
The files are being hosted using the classic Google Sites. Using the ‘Recent site activity’ option on the site containing the file, we found out there were two files resident at the top level, as shown in Figure 2.
The threat actor used classic Google sites to create a website, then used the file cabinet template to upload the payload, and finally sent the resulting URL to the potential targets. A visual depiction of this process is shown in Figure 3.
Attack Kill chain
The depiction of the attack kill chain of the LoadPCBanker malware is shown in Figure 4. It begins with a first-stage parent downloader, which downloads the next stage payloads from a file hosting website. The next stage payloads collect screenshots, clipboard data, and keystrokes from the victim. Finally, it uses SQL, an exfiltration channel to send the victim data to the