In Portugal, a Phishing email malware uses GDocs as a C2 server

AnubisNetworks By AnubisNetworks • April 27, 2020

After we've detected a phishing campaign running in Portugal, a great research article, conducted by malware.pt team, determining how attackers use Google Docs in an original way.  

When Anubis unveil new spam and phishing campaigns we often tag along a community of  (highly skilled) friends to further research on the criminal intents behind such campaigns.

This time, Malware.pt and, namely, Tiago Pereira (Kudos to this outstanding cyberthreat researcher) have researched and published an article here on a phishing campaign we have discovered, targeting bank clients.

The article above is in Portuguese. It  basically uncovers the following:

  • A running campaign of a simple phishing email, pointing to a payment document, in an .MSI format.
  • The malware is downloaded after the .MSI file is  executed and it is unknown to the common scanners. It's an hybrid malware containing several forms of obfuscation and counter-sandbox processes.
  • The malware is downloaded from google docs and it is installed in the running applications folder.
  • Also on google docs, there are other documents, one to configure a Bitcoin address, and others used as C2 (Command and Control servers), with instructions for the malware.
  • The interesting part is precisely this last part. The attackers can easily change the docs with new instructions and links, as opposed to using C2 servers, which may be tracked and taken down by authorities.
  • As on what the malware does, amongst many things it can overlay a Bank's login page with a different page to capture the user's credentials
You really need to go to the original article for the easy-to-read, complete investigation. Here, we just wanted to point out yet another example (out of thousands or millions) of clever or not so clever aways to steal someone's data, with Email being the primary vector!