Data Security

A new malware using Google App Engine to create malicious PDF files

Cobalt Strike malicious hackers group is abusing Google App Engine to distribute malware embedded in PDF documents

Network security and ethical hacking specialists
from the International Institute of Cyber Security reported the emergence of a
complex campaign of malware
attacks in which hackers exploit Google
App Engine
, a cloud computing platform, to deploy malware using specially
crafted PDF files.

The main targets of this campaign are
government and financial institutions, especially banks with worldwide
presence, as mentioned in the research. From the evidence collected so far,
researchers believe that the Cobalt
Strike
hacking group is behind these attacks.

At the beginning of 2019, multiple
organizations began receiving similar emails with .eml extension attachments. By
investigating this trend, network
security
specialists were able to confirm that these attachments were
activating enterprise detection systems.

“The PDF file detected in these organizations
downloads a Word document (Doc102018.doc) with a confusing macro code. During
execution, the victim finds a message to enable the document edit mode”.

The PDF reader regularly displays a security
warning when a file is linked to a website. However, once this action is
recalled for this site, any URLs within this domain are allowed to be chained
without showing any notice.

“This attack is much more effective because it
shows a Google App Engine URL to redirect the victim to the malicious website.
Because the payload seems to come from a reliable source, users are more likely
to fall into the trap”.

Experts recommend users not to download
attachments from unknown sources, especially if they are in emails of dubious
provenance. It is also recommended to keep all systems updated and implement
the antimalware solution that best suits users.

This is not the first time that malicious
hackers take advantage of a Google service to distribute harmful software.
Recently it was discovered on the Internet the tool DarkHydrus, used to
distribute the malware RogueRobin through Google Drive. 

In addition, multiple reports of network
security specialists mention the use of Google Sites and Adwords platforms to
distribute malware using a spoofed version of the Chrome browser. There is also
evidence to confirm that malicious hackers are able to use Google search
results to distribute malware variants using Search Engine Optimization (SEO) poisoning
and malvertising campaigns.

To Top

Pin It on Pinterest

Share This