A notorious cybercrime gang that made a name for itself by hacking financial institutions in 2015 is using Google services to monitor malware victims’ devices, according to an online security firm.
The Carbanak group – also known as Anunak – is tapping Google’s cloud-based apps to send commands to compromised machines, researchers from Forcepoint Security Labs have revealed.
The hacking group surfaced nearly two years ago when it was found to be aggressively targeting banks and other financial institutions with customised malware designed to take control of computers that manage money transactions. Carbanak cybercriminals targeted low-level bank workers in spear fishing attacks, sending them malware-infected email attachments. When opened, these would give the scammers access to banks’ IT networks.
Named Digital Plagiarist, the group’s new campaign involves the use of compromised productivity documents hosted on mirrored domains, which are designed to distribute malware. Google services affected include Google Apps Script, Google Sheets and Google Forms, Forcepoint researchers said.
This is not the first time cyber scammers have used Google services to target victims. In July last year, netscope revealed that the cuteRansomware family was using Google Docs to store information on infected machines.
In a blog post on its website, Forcepoint said: “The Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent [command and control] channel is likely to be more successful than using newly-created domains or domains with no reputation.
“Forcepoint will continue to monitor this group’s activities and share data with trusted partners.”
Forcepoint said it had informed Google of its discovery, but the search giant has yet to comment publically on the revelations.
Back in February 2015, Kaspersky Lab revealed that the Carbanak gang had successfully swiped in excess of $1 billion (€937 million) from banking institutions all over the world using its signature malware. At the time, law enforcement officials said the gang was most likely working out of a number of countries, including Russia, Ukraine and China.
In November last year, researchers at online security firm Trustwave said the gang was likely behind attempts to launch socially-engineered attacks on hospitality firms. A member of the gang would call a company’s customer service helpline to say they were having problems with its online reservation system, and ask to send information to an agent by email. The cyber fraudster would stay on the line and wait for the operative to open an infected email attachment before hanging up.
Discussing the gang’s modus operandi when Kaspersky Lab first discovered its activities in 2015, Sanjay Virmani, Director of Interpol’s Digital Crime Centre, commented: “These attacks again underline the fact that criminals will exploit any vulnerability in any system. It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”