Threat Actors Continue Abusing Google Docs and Other Cloud Services to Deliver Malware

A key part of phishing threat actors’ mission is to create email narratives and leverage malware delivery techniques that reduce the likelihood of detection. By combining compelling social engineering with seemingly benign content, threat actors hope to bypass technical controls and to convince their human victims of a phishing email’s legitimacy. One method with a long history of use is the abuse of Google Docs file sharing URLs to deliver malware content to victims. Because Google Docs and other cloud services may be trusted within an enterprise, threat actors will continue to abuse file sharing services to possibly bypass firewalls and anti-virus technologies.

One example where threat actors abuse the credibility of the Google Docs cloud platform’s sharing URLs is in the recent distribution of the Zeus Panda botnet malware. Abuse of these services will continue as threat actors attempt to bypass technical controls. In a recent scenario, threat actors delivering this malware abused the Google Docs platform and created a phishing narrative that impersonated communication from the United States Tax Court.

This set of messages returns to a universally appealing phishing narrative in which the threat actors craft a narrative about the recipient’s attempt to evade federal taxes to elicit an emotional response. The goal is to convince victims that they could face criminal consequences and that their appropriate course of action is to perform the all-important click on the link provided.

Figure 1 – Threat actors appeal to uneasy taxpayers and abuse a Google Docs sharing URL

As the screenshot of this message shows, the message’s link points to a Google Docs file sharing URL. From this link, the victims then obtain a Word document that contains macro scripting designed to deliver the adaptable and multipurpose Zeus Panda botnet malware.

Google Docs file sharing URLs abused to deliver Zeus Panda
hxxps://docs.google[.]com/uc?authuser=0&id=0B42m7TuiYgmjUWdYNkVZdmtZRVU&export=download
hxxps://docs.google[.]com/uc?authuser=0&id=0B42m7TuiYgmjYkNIMnM4U1JsUHM&export=download
hxxps://docs.google[.]com/uc?authuser=0&id=0B42m7TuiYgmjWEJIRXJQYW5leUk&export=download

Figure 2 – Google Docs URLs abused in the delivery of the Zeus Panda malware

Google cloud services are not the only services abused by threat actors for the purposes of delivering malware via phishing email. Similar behavior has been noted in the past with other legitimate service providers such as Dropbox, Cubby, SugarSync, and others. Threat actors aim to increase the likelihood of infecting victims by posing as an established organization, and making use of legitimate file sharing services. While this technique is not original, it emphasizes another method that threat actors use to lure potential phishing victims.

Threat actors will continue to abuse these services and experiment with other techniques as they attempt to bypass various security solutions and the suspicions of potential victims. A holistic phishing defense strategy can help mitigate this risk. By empowering both email users and security professionals, it is possible to take away threat actor opportunities at many points during the attack lifecycle. Through education and empowerment to report suspicious emails, email users can become trained assets to provide early warning to new, malicious emails delivered to an organization. These reports then provide network defenders with raw material to be processed by robust toolsets further enriched through actionable threat intelligence.

Learn about emerging trends and evolving threats in phishing malware with PhishMe’s Q1 Malware report, click here to download.

Karo Ransomware Raises Stakes for Victims by Threatening to Disclose Private Information
Petya-like Ransomware Triggers Global Crisis with Echoes of WannaCry Attack

Leave a Reply