An organised cybercrime syndicate, which was believed to be responsible for pulling off one of the biggest cyberheists in 2015, is now reportedly using Google services for its malware monitoring purposes. Security researchers believe that the Carbanak gang, named after their customised malware, has taken to using Google services to issue its command and control (C&C) communication, in efforts to better track and control its current and potential victims.
The Carbanak hacker group, also known as Anunak, is believed to have been operational since 2013. However, it was only in 2015 that the group's activities came to light, after the cybercriminals used their Trojan malware to launch targeted attacks against global banks, making away with an estimated $1bn.
According to Forcepoint security researchers, the group has updated its VBScript malware, which now comes with the ability to use Google services. This allows the attackers to send and receive commands from and to Google Forms, Google Sheets and Google Apps Script services. The hacker group's most recent campaign, dubbed "Digital Plagarist" saw the hackers use "weaponised" office documents hosted on mirror domains, in efforts to distribute the malware.
Forcepoint researchers said: "Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation."
Researchers noted that by using Google services, the hacker group can dynamically create Google Sheets spreadsheet, which in turn allows systems to fairly simply manage infected victims. Hackers can leverage the updated malware to check on victims' infected machine's status, remotely send commands and more.
"The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organisation, so it is more likely that the attacker will establish a C&C channel successfully," the researchers said.
Forcepoint researchers said that they have notified Google about the abuse of services and are "working with them" to uncover more details.
In December, TurstWave security researchers uncovered that the gang was back, this time targeting the hospitality sector with renewed vigour. TrustWave noted that the hacker group had added cyberespionage-like features to its original malware in efforts to evade detection. Researchers also speculated that the shift in target focus, as well as the geographical broadening of targets could indicate the group's intention to expand its activities.
Several cybersecurity firms have previously indicated that the group may likely be Russia-based and possibly backed by an organised crime syndicate, given their sophistication and high-profile attacks. The group is also believed to be responsible for conducting a wave of cyberattacks on PoS systems, including the Oracle data breach.