Malware uses Google Docs to communicate with control hub

Share this article:

A new iteration of backdoor trojan Makadocs is capable of hiding its command-and-control (C&C) server communications by abusing a legitimate Google Docs function.

Symantec researchers discovered that the malware used Google Docs, a document sharing and editing service, as a proxy server, or intermediary step, to pass along information to C&C servers, according to a Friday blog post.

The tweaked code is even capable of comprising machines running Microsoft's Windows 8 operating system, released last month, and Windows Server 2012, the server version of Windows 8 that became generally available to the public in September.

Kevin Haley, director of Symantec Security Response, told Monday that only a small number of Makadocs infections, fewer than 100, have been detected, mostly in Brazil. The individuals behind the malware apparently were just testing out the updated malware.

Makadocs, which is downloaded on victims' machines when they open malicious Word or Rich Text Format (RTF) documents sent in phishing emails, uses legitimate functionality within Google Docs to hide its communications. 

“There's a feature in Google Docs called “viewer” that allows you to look at a document on another person's machine,” Haley explained. “You can get the URL of where the document is [through the feature].” Makadocs can use the “viewer” feature to access its C&C server instead.

While the phishing tactics used to spread the trojan are commonplace, what Makadocs creators developed to keep the C&C communications under the radar is what caught researchers' attention.

Since the malware existed before Windows 8 was launched, researchers believe the code was updated after the operating system was introduced to widen its threat to users.

“The malware is built to steal information from the computer, so it's a pretty standard information stealer,” Haley said, later adding that basic information like the infected computers' domain name and operating system of choice were passed along to C&C servers.

Symantec's blog post said that it was possible for Google to thwart this abusive behavior by blocking the malware's connection to the Docs server using a firewall.

On Monday, a Google spokesman emailed and said that the company would take action if abuse of its services became a major concern.

“Using any Google product to conduct this kind of activity is a violation of our product policies,” according to a statement. “We investigate and take action when we become aware of abuse.”

Share this article:

Sign up to our newsletters

More in News

Firefox 31 plugs critical memory safety bugs

In total, Firefox 31 brings 11 patches for several flaws affecting the web browser.

Android/Simplocker adds tricks, including ransom message in English

Android/Simplocker ransomware now encrypts archive files, asks to be installed as a Device Administrator, and delivers an English-language ransom message.

Wall Street Journal website vulnerable to SQL injection, gets hacked

The Wall Street Journal confirmed on Tuesday that an outside party exploited a vulnerability and hacked into its new graphics systems.