Malware uses Google Docs to communicate with control hub

Share this article:

A new iteration of backdoor trojan Makadocs is capable of hiding its command-and-control (C&C) server communications by abusing a legitimate Google Docs function.

Symantec researchers discovered that the malware used Google Docs, a document sharing and editing service, as a proxy server, or intermediary step, to pass along information to C&C servers, according to a Friday blog post.

The tweaked code is even capable of comprising machines running Microsoft's Windows 8 operating system, released last month, and Windows Server 2012, the server version of Windows 8 that became generally available to the public in September.

Kevin Haley, director of Symantec Security Response, told SCMagazine.com Monday that only a small number of Makadocs infections, fewer than 100, have been detected, mostly in Brazil. The individuals behind the malware apparently were just testing out the updated malware.

Makadocs, which is downloaded on victims' machines when they open malicious Word or Rich Text Format (RTF) documents sent in phishing emails, uses legitimate functionality within Google Docs to hide its communications. 

“There's a feature in Google Docs called “viewer” that allows you to look at a document on another person's machine,” Haley explained. “You can get the URL of where the document is [through the feature].” Makadocs can use the “viewer” feature to access its C&C server instead.

While the phishing tactics used to spread the trojan are commonplace, what Makadocs creators developed to keep the C&C communications under the radar is what caught researchers' attention.

Since the malware existed before Windows 8 was launched, researchers believe the code was updated after the operating system was introduced to widen its threat to users.

“The malware is built to steal information from the computer, so it's a pretty standard information stealer,” Haley said, later adding that basic information like the infected computers' domain name and operating system of choice were passed along to C&C servers.

Symantec's blog post said that it was possible for Google to thwart this abusive behavior by blocking the malware's connection to the Docs server using a firewall.

On Monday, a Google spokesman emailed SCMagazine.com and said that the company would take action if abuse of its services became a major concern.

“Using any Google product to conduct this kind of activity is a violation of our product policies,” according to a statement. “We investigate and take action when we become aware of abuse.”

Share this article:

Sign up to our newsletters

More in News

Health care breaches continue to rise, over 30M affected

As breaches hitting the health care industry continue to ramp up, more than 30 million individuals have been affected by these incidents thus far.

'Backoff' malware compromises POS devices in New Orleans restaurant

Anyone that used a credit or debit card at Mizado Cocina between May 9 and July 18 may have had their data compromised.

FBI begins investigation into 1.2 billion stolen credentials

A couple weeks after Hold Security's initial discovery of the stolen logins, the Federal Bureau of Investigation is conducting its own review.