CuteRansomware using Google Docs as a launch platform
So far, the ransomware has only been spotted using Google Docs, but Netskope said it is not limited to this cloud app.
Despite its benign nickname, a new strain of malware called cuteRansomware has been uncovered that uses a Google Doc generated by the cybercriminal to host the decryption key and command-and-control functionality, according to a blog post from Netskope.
The specific case cited uses Google Docs, but Ravi Balupari, Netskope's director of engineering and cloud security research, told SCMagazine.com in an email on Wednesday that any cloud-based system could be substituted. CuteRansomware was spotted in the latter half of June. Balupari called it rather rudimentary in design and possibly an early version, and believed it was most likely authored in China to target Chinese citizens.
The ransomware so far has only been spotted using Google Docs, but Balupari said it is not limited to this cloud app.
“This can happen in any cloud app and, in fact, we have seen other ransomware and general malware transferred via other cloud apps. For example, last week we reported on Cerber ransomware being transferred via Microsoft Office 365,” he told SCMagazine.com.
Using Google Docs specifically creates a host of issues from a cybersecurity standpoint. Netskope noted that Google docs uses HTTPs by default and the network data transmission over SSL can easily bypass normal security measures, such as a firewall. In addition, since the victimized company uses Google Docs as part of its productivity software suite, it is almost impossible to block malicious docs.
“We believe this is critical,” Netskope wrote. "As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools' lack of visibility into SSL becomes a huge benefit to them."
But the most interesting aspect of the threat, the company believes, is how the Google Doc is actually used during the attack. First the ransomware creates a mutex with the name cuteRansomware, encrypts the files and then writes several text files stored under %TEMP% directory. A pop-up ransom note is then shown telling the user the files have been encrypted.
“Then comes the interesting part: The binary captures the computer name of the victim and uploads it and the RSA key for encrypting/decrypting files to the malicious actor-controlled Google Docs form,” Netskope wrote.
This malware is being spread mostly through drive-by downloads, Balupari said.
CuteRansomware's existence could be a harbinger of things to come. Netskope researchers said hackers may turn to cloud services as an attack platform to store keys and to be an integral part of their command-and-control system.