Hackers have launched a worldwide malware campaign using the Google cloud computing platform via armed PDF.
Security researchers at the Netskope Threat Research Labs have detected this malware attack, mainly targeting the banking and finance industries. Public firms have also been targeted worldwide.
A recent Netskope blog post written by Ashwin Vamshi states that “Netskope Threat Research Labs detected several targeted attacks on 42 clients, mainly in the banking and finance sectors. The App Engine Google Cloud computing platform (GCP) used the threat actors involved in these attacks to deliver malware through PDF decoys. After further research, we have confirmed evidence of these attacks against governments and financial firms worldwide.
“Netskope researchers have also found that the threat group ‘ Cobalt Strike’ appears to be linked to several decoys.
The Netskope blog post explains that the hackers carried out the attack “… by abussing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.” It adds, “This target attack is more convincing than traditional attacks because the URL hosting the malware points the host URL to Google App Engine, giving the victim the belief that the file is delivered.
The detections gave rise to alerts in the Outbreak Detection Systems of Netskope, which investigated the matter. It has been confirmed that detections have been triggered in the eml files attachments. Ashwin Vamshi writes, “We discovered that these attacks abused Google App Engine on the Google Cloud Platform (GCP) as a bait to deliver malware on our Netskope Discovery and Netskope Active Introspection Alerts platforms.
“In his blog post, Ashwin Vamshi also explains how PDF decoys are delivered to victims. He writes, “PDF decoys traditionally come to the victims as e-mail attachments. The emails are manufactured to contain legitimate content and to supply the malware from whiteware sources. Such attachments are often stored in cloud storage services such as the Google Drive. Sharing these documents with other users can lead to a secondary propagation vector such as the CloudPhishing Fan-out Effect. “Most PDFs were created using Adobe Acrobat 18.0 and contained the malicious URL in a compressed form using Flat Decode (Filter / FlateDecode) in the PDF stream.
The payload has been delivered through all decoys using HTTPS URLs. The blog post Netskope also explains the redirection of the URL to the GCP app engine. Using an illustration, it shows how the user is logged out of appengine.google.com once the URL is accessed. A’ 302′ response status code for the URL redirection is then generated. When this action is executed, the user is redirected to google.com/url using the “? continue= “query. The illustration also shows how this redirection logic reaches the destination landing page and Doc102018.doc is downloaded to the machine of the victim. In all cases examined by the Netskope team, the application of the GCP App Engine validated the redirection and led to the delivery of the payload to the machine of the victim. Since the attached URL was an unvalidated redirect, the hackers abused the function by redirecting a victim to a malicious attached URL hosting the malicious payload.
In popular PDF readers, attackers take advantage of the “default “action to deploy multiple attacks and the user will not receive a security warning after the first alert. The Netskope blog post explains, “PDF readers usually give the user a security warning when the document is connected to a website. Once a domain is checked for “remember this action for this site, “this feature allows any URL within the domain without a prompt… By using the “default allow “action in popular PDF readers, the attacker can easily deploy multiple attacks without receiving a security warning after the first alert. Appengine.google.com may also be listed by administrators for legitimate reasons.
It also only warns the user that they are trying to connect to appengine.google.com, which looks benign at face value. ” The PDFs supplied to users download Microsoft Word documents with macro code obfuscated. When executed, the user receives a message that the online preview is not available and asks the user to allow editing and content mode to view the document. Once this option is activated, the macro will be executed and another stage payload from transef[.]biz / fr.txt will be downloaded.
The hackers work to ensure a smooth transition from one stage to the next, making it difficult to detect, investigate or mitigate the attack. The text document fr.txt downloads and executes the payload using the Microsoft Connection Manager Profile Installer (csmtp.exe) native Windows application using what scientists call a Squiblydoo technique.
This technique involves loading malicious scripts using native Windows applications and bypassing whitelisting solutions for applications). “Over 20 other banks, government and financial institutions have been targeted by phishing emails sent by attackers posing as legitimate customers of those institutions on the basis of our intelligence threat research. There were no discernible geographical patterns in targeted organizations— the targets were distributed throughout the world, “read the Netskope blog. The abuse was reported to Google already.
