Netskope Threat Research Labs detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, we confirmed evidence of these attacks targeting governments and financial firms worldwide. Several decoys were likely related to an infamous threat actor group named ‘Cobalt Strike’.
The attacks were carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload. This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.
This post describes our discovery and analysis of the Google App Engine URL Redirection abuse, the threat actor responsible, and the malware abusing this feature. We conclude with some recommendations to help protect and remediate such threats.
Netskope Detection
Netskope Advanced Threat Protection detects the targeted decoy we identified as PDF_Phish.Gen.
Disclosure
Netskope reported this abuse to Google on 10 January 2019. The open redirector exists by design.
Discovery
Early this year, Netskope’s telemetry identified common detections across 42 customers in the banking and finance sector. All these were eml files that carried an .eml extension and had the same detection name, triggering alerts in our Outbreak Detection Systems. After investigation, we confirmed that the detections were triggered in the attachments of the eml files.
Leveraging our Netskope Discovery and Netskope Active Introspection Alerts platforms, we discovered these attacks were abusing Google App Engine on the Google Cloud Platform (GCP) as a bait to deliver malware.
PDF Decoys – Delivery
The PDF decoys traditionally arrive as email attachments to victims. The emails are crafted to contain legitimate content and deliver the malware from allow listed sources. Often, such attachments are saved to cloud storage services, like Google Drive. Sharing these documents with other users can result in the occurrence of a secondary propagation vector like the CloudPhishing Fan-out Effect. In this case, the email file containing the decoy document was detected by Advanced Threat Protection and the potential fan-out was prevented.
GCP App Engine URL Redirection – Decoys
This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely.
The themed PDF decoys we observed us