Taking advantage of the Google branding and lack of detection in the File Cabinet option, attackers are using their web design platform for drive-by download attacks. After creating a webpage with Google Sites, the attacker proceeded to use the File Cabinet option to place the malware where a URL was, then created and distributed to prospective victims. Inside of that cabinet is an archive named “Reserva_Manoel_pdf.rar” which contains the malicious file “PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe” when translated from Portuguese it means, “PDF Reservations Details MANOEL CARVALHO guest house details.” When searching Google for the guest house no results turn up, however, there is a Manoel Carvalho who plays football for a Brazilian team named Corinthians on loan from Curzeiro, so the attacker could be relying on a user’s pure curiosity in relation to the football team. The connection can be made when viewing the malicious PDF, which uses a shield icon that’s colored blue and yellow–the same colors as Curzeiro. The executable is written in Delphi and if the pdf icon is clicked, the downloader is activated and it creates an unseen folder (clientpc) which then downloads the following payloads: otlook.exe, cliente.dll, and libmySQL50.DLL, from an alternate file hosting service. All downloaded URLs are deleted from the targeted system’s WinINet cache by the downloader and then it runs otlook.exe. From there, the SQL library and cliente.dll payloads begin operating primarily as spyware. Tasks like recording screenshots, clipboard data, and keystrokes are performed. Otlook payload likewise downloads a document named dblog.log, which contains the encoded subtleties and accreditations for an external SQL database utilized as the exfiltration place for stolen information.
Analyst Notes
Users should think about using a good anti-virus tool which could help them detect malicious entities. Third party downloads should be avoided, especially if the source cannot be verified or trusted. Data should be regularly be backed up to assure copies will be available in case they are stolen.
