Malware uses Google Docs to communicate with control hub

Share this article:

A new iteration of backdoor trojan Makadocs is capable of hiding its command-and-control (C&C) server communications by abusing a legitimate Google Docs function.

Symantec researchers discovered that the malware used Google Docs, a document sharing and editing service, as a proxy server, or intermediary step, to pass along information to C&C servers, according to a Friday blog post.

The tweaked code is even capable of comprising machines running Microsoft's Windows 8 operating system, released last month, and Windows Server 2012, the server version of Windows 8 that became generally available to the public in September.

Kevin Haley, director of Symantec Security Response, told SCMagazine.com Monday that only a small number of Makadocs infections, fewer than 100, have been detected, mostly in Brazil. The individuals behind the malware apparently were just testing out the updated malware.

Makadocs, which is downloaded on victims' machines when they open malicious Word or Rich Text Format (RTF) documents sent in phishing emails, uses legitimate functionality within Google Docs to hide its communications. 

“There's a feature in Google Docs called “viewer” that allows you to look at a document on another person's machine,” Haley explained. “You can get the URL of where the document is [through the feature].” Makadocs can use the “viewer” feature to access its C&C server instead.

While the phishing tactics used to spread the trojan are commonplace, what Makadocs creators developed to keep the C&C communications under the radar is what caught researchers' attention.

Since the malware existed before Windows 8 was launched, researchers believe the code was updated after the operating system was introduced to widen its threat to users.

“The malware is built to steal information from the computer, so it's a pretty standard information stealer,” Haley said, later adding that basic information like the infected computers' domain name and operating system of choice were passed along to C&C servers.

Symantec's blog post said that it was possible for Google to thwart this abusive behavior by blocking the malware's connection to the Docs server using a firewall.

On Monday, a Google spokesman emailed SCMagazine.com and said that the company would take action if abuse of its services became a major concern.

“Using any Google product to conduct this kind of activity is a violation of our product policies,” according to a statement. “We investigate and take action when we become aware of abuse.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.