Netskope Threat Research Labs discovered an interesting drive-by download attack in Google. The threat actor involved in this attack initially deployed a Banking Trojan using the file cabinets template in Google sites as a delivery vehicle. The malware dubbed “LoadPCBanker” used SQL as an exfiltration channel to send the compromised victim data to the server.
There are two aspects of this attack that are noteworthy:
- First, users place an implicit trust to vendors like Google. As a result, they are more likely to fall victim to an attack launched from within a Google service.
- Second, whereas other services like Gmail block some malicious file uploads, Google File Cabinet does not appear to have any such protections.
This post describes our discovery and analysis of the attack and the malware payload. We will also conclude with some recommendations to help protect and remediate such threats.
Netskope Detection
Netskope Advanced Threat Protection detects the malware associated with this attack as Win32.LoadPCBanker.Gen.
Netskope customers can also create a policy to generically block all uploads and downloads from Google sites as shown in Figure 1.