If you’ve watched the new Netflix series White Rabbit Project you’ve heard of the Carbanak gang. They’re one of the most successful cybercriminal rings ever.
Their signature malware has already helped them swipe more than $1 billion from banks around the globe. Now they’ve figured out how to abuse services run by Google to help them steal even more money.
According to a new report from Raytheon-owned Forcepoint, Carbanak’s operators have implemented a very clever new system for delivering commands to (and receiving data from) the computers they’ve infected. They’re doing it through Google Sheets spreadsheets and Google Forms.
This might sound like an odd way to control malware, but it’s actually a technique that cybercriminals have been employing for years. Back in 2012, Symantec discovered a Trojan they dubbed Makadocs that was utilizing Google Docs to facilitate communications.
Why would someone distributing malware want to host critical files on Google’s servers? Because, as Forcepoint notes, the kinds of organizations and businesses the Carbanak gang are likely to target are probably doing their best to block any communications with sketchy-looking domains.
It’s extremely unlikely that they would block access to Google’s domains. In researcher Nicholas Griffin’s words, “The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight.” That gives Carbanak’s criminal controllers a better chance at pulling off yet another lucrative heist.
So how does this new Carbanak threat spread? Unsurprisingly, the malicious payload is delivered as an attachment as part of a phishing attack.
As we learned earlier this week, that’s still an incredibly effective way to infect computer. Even security-minded users can be tricked into opening dangerous attachments when the phishing emails are convincing enough.