Carbanak using Google services for command and control

Forcepoint Security Labs (FSL) has revealed that the group behind the Carbanak malware is using Google services for its command and control (C&C). This is not the first time that cybercrime groups have used cloud services. Many now take advantage of cloud resources to crack large numbers of stolen passwords or to analyse large data dumps. Forcepoint says that it has provided Google with the details. The two organisations are working together in order to find a solution to the problem of malware using Google’s cloud services.

The details were released in a blog posted by Nicholas Griffin. It started out as an investigation into a trojanised RTF document that FSL tied back to the Carbanak group. The document uses the same VBScript as other versions of Carbanak. The cybercrime gang is targetting financial institutions. Researchers at Kaspersky Lab say they discovered the malware in 2015. It is claimed that Carbanak has stolen over 500 million dollars. The targetted financial institutions and customers are mainly in Russia, USA, Germany, China and Ukraine.

According to FSL, they have recently seen a new campaign from Carbanak that uses weaponised office documents. These are hosted on a number of mirror domains making it harder to stop the attack. Customers are infected when they open the infected documents and allow the macros inside to run. These macros contact the C&C servers and download the malware. They also send data back regularly to the C&C servers.

How does Carbanak work?

In the FSL blog there is a walkthrough of the infection process. The user receives a document that claims it is protected by Microsoft Office and requiring human verification. When the user enables editing and opens the document they are asked to allow a file called “unprotected.vbe.” This allows the malware to begin installing itself.

The malware is using three different Google services, Google Apps Script, Google Sheets and Google Forms. This is a cleverly coded attack. Carbanak creates a unique Google Spreadsheet and Google Forms ID per victim. It is then easy for the attackers to not only monitor victims individually but also combine that information with other data.

How to stop this Carbanak attack

The easiest way to stop this attack is not to allow users to enable macros and to better educate them. The creation of a company Intranet page where malware attacks and security data is displayed is one way of doing this. For IT security teams FSL provides a set of Indicators of Compromise (IoC) at the bottom of the blog. This lists details of the URLs used by the malware. If the list  is added to a monitoring service, they are then detected and an action can be taken to block them. This will also send an alert to the IT security team who can then isolate the end users machine and begin the remediation process.


Use of the cloud and cloud services by hackers is nothing new. In fact, they are probably bigger users of these services than the security companies who are tracking them. The ability to scale analytics and compute power gives cybercriminals the ability to crack large and complex sets of data.

The fact that Carbanak was caught using Google services is not a Google issue. Although it is surprising that it took an outside agency to discover the use of the services rather than the internal Google security team. Now that the IoC are available for IT security teams they need to check their firewall logs and identify any at risk or infected machines.



Please enter your comment!
Please enter your name here