Banking Trojan Drive-by Download Leverages Trust in Google Sites
Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle.
The attacker first developed a website using Google Sites. He then used the File Cabinet option to upload and store the malware, and distributed the resulting URL to potential victims. The process, discovered by Netskope, relies heavily on users’ tendency to trust the Google name, together with an apparent failure by Google to block malicious uploads to the File Cabinet.
Within the Cabinet is a RAR archive titled ‘Reserva_Manoel_pdf.rar‘; and within that is a malicious executable titled ‘PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe’. The latter translates from Portuguese to ‘PDF Reservations Details MANOEL CARVALHO guest house details’.
Although Google search does not disclose such a guest house, there is a Manoel Carvalho who plays football for the Brazilian Corinthians team on loan from Cruzeiro — and the attackers are likely relying on natural curiosity, especially the Brazilian love of football, to tempt visitors into downloading the malware.
The malicious executable, written in Delphi, is disguised as a PDF using a PDF icon with a blue and yellow shield (the colors of the Cruzeiro football team). If this is clicked, it activates a downloader that first creates a hidden folder (clientpc) and downloads the next stage payloads otlook.exe, cliente.dll, and libmySQL50.DLL from a separate file hosting service. The first two are malware, while the third is a mysql library used to send data stolen by LoadPCBanker to the attackers’ server.
The downloader deletes all its download URLs from the system’s WinINet cache, and runs otlook.exe. This loads the sql library and cliente.dll. It operates primarily as spyware, recording screenshots, clipboard data, and keystrokes. Otlook also downloads a file named dblog.log, which contains the encrypted details and credentials for an external sql database used as the exfiltration destination for stolen data.
Interestingly, the attackers only seemed interested in surveilling a specific set of machines. Although Netskope detected ‘a lot of infected machine responses’, only a few were being actively surveilled. In fact, the attacker was only monitoring 20 infected hosts. Netskope does not disclose the location of the infected victims — however, the pattern fits with what is known about Brazilian Hackers. The malware is clearly targeted at Portuguese speakers; but the difficulties in money transfers into and out of Brazil make it likely that they are only interested in Brazilian targets and Brazilian banks.
Earlier this month, Recorded Future published an analysis of Brazilian hackers and hacking. It noted that in general, the Brazilian hacker is very insular: Brazilian bank fraud is primarily targeted against Brazilian banks. The reason is very strict financial controls. “The processing of international payment orders,” it wrote, “is treated as a currency exchange transaction. As such, additional controls against money laundering and tax evasion are applied, making moving money across country borders harder.”
Netskope believes that similar malware has been around since early 2014, and the current campaign has been active since February 2019. It doesn’t know whether it is the same actor, or whether the source code has been shared and reused.