The group is financially motivated and has recently been spotted using weaponized office documents hosted on mirrored domains.
The group is financially motivated and has recently been spotted using weaponized office documents hosted on mirrored domains.

The Carbanak cybergang has been spotted using Google for its malware command-and-control channel.

Forcepoint Security Labs researchers said the group is hiding in plain site by is using Google as an independent command and control channel since Google is likely to be more successful than using newly created domains or domains with no reputation. 

The group, also known as Anunak, is financially motivated and has recently been spotted using weaponized office documents hosted on mirrored domains, in order to distribute malware, according to a Jan. 17 blog post.

Each time a user is infected, a unique Google Sheets spreadsheet is dynamically created in order to manage each victim, and researchers said the legitimate use of third party services like Google allow the attacker to hide in plain site because it's unlikely that organization will block Google by default.

This makes it more likely for the attackers to successfully establish command and control channels, researchers said in the post.

Forcepoint Security Labs researcher Nicholas Griffin told SC Media that as far as he knows, Google has been made aware of the incident and are investigating and tracking the group.

“It very well may be that they are liaising with law enforcement or otherwise investigating it rather than shutting it down entirely,” Griffin said. “But of course they are not at liberty to disclose whether that is or isn't the case.”

Trustwave researchers also spotted the cybergang targeting the hospitality industry and they say it has already affected a U.S. restaurant chain with more than 1,500 locations, as well as a luxury hotel chain with more than 100 locations in the country.

The attackers used cloud services such as Google Docs, Google Forms and Pastebin.com to keep track of infected systems, spread malware and perform additional malicious activities Trustwave researchers said in it the “Operation Grand Mars: Defending Against Carbanak Cyber Attacks” report.  

This isn't the first time researchers have spotted attackers using this method of spreading malware. CipherCloud Vice President of Technology Sundaram Lakshmanan told SC Media.

This latest attack is part of a disturbing trend: cloud applications are increasingly becoming vectors of choice for hackers – just like Email for Phishing, to spread malware into the enterprise,” Lakshmanan said. “Despite the best efforts of Google and others, this demonstrates that you can't put blanket trust in cloud services to protect your most sensitive data.”

The innovation of attackers using methods like this have stemmed in a cyber arms race with the strongest vulnerability being the human factor, John Gunn, vice president of communications at VASCO Data Security, told SC Media.  

“There is no patch for gullibility that can protect users from social engineering attacks,” Gunn said. “This is typically the first step in these types of attacks, and this will continue to compromise millions of users.”