Attackers use Google Cloud Platform (GCP) to deliver malware via PDF decoys

• PDF decoy themed attacks using Google Cloud Platform target financial institutions and Government agencies across various countries.
• The attack has targeted almost 42 organizations including OmniPay, Metrobank, Travelex foreign exchange business, SKB Bank, RGS Bank, BancNet online, Bank of Alexandria, India’s Ministry of External Affairs, and more.

Researchers from Netskope recently spotted targeted attacks using the App Engine Google Cloud Platform to deliver malware via PDR decoys. The attack primarily targets financial institutions and Government agencies across countries.

It has affected almost 42 organizations including OmniPay in Aisa, Metrobank in the Philippines, Travelex foreign exchange business, SKB Bank and RGS Bank in Russia, BancNet online, Bank of Alexandria and Standard Bank in South Africa, India’s Ministry of External Affairs, etc.

Cobalt Strike threat actor group

Researchers detected that most of the PDF decoys used were likely linked to Cobalt Strike threat actor group.

The Cobalt Strike threat group is known for using various TTPs, Carbanak malware, and Cobalt Strike software to target financial institution. Cobalt Strike software is a white hat tool for conducting security assessments. Researchers said that the hacker group’s pattern continues in this themed attacks.

URL Redirection mechanism

This PDF decoy themed attack redirects the URL hosting the malware to Google App Engine. This URL redirection mechanism is used by attackers to trick victims to believe that the PDFs are from the trusted legitimate source.

“The usage of themed PDF decoys with enticing emails is a perfect choice since the payload seems to be originating from a trusted source, and popular PDF viewers enable users to easily whitelist domains,” Ashwin Vamshi, a security researcher from Netskope said.

In this attack, victims are tricked with Google App Engine URL and are redirected to malware. Since Google Cloud Platform is a legitimate source, victims are unlikely to know that they are targeted.

Most of the PDF decoys were created using Adobe Acrobat 18.0 and contain the malicious link. All decoys use HTTPS URLs to deliver the payload.

• Once users download the PDF decoy and click the malicious link, victims are logged out of Google App Engine and a response status code 302 is generated for URL redirection.
• Victims are redirected to a landing page where a malicious file is downloaded onto their systems.
• In most cases, the Google App Engine validated the redirection and delivered the payload which is a MS Word document containing obfuscated macro code.
• Once executed, it displays a message to victims prompting them to enable editing and content mode to view the file.
• If enabled, the macro is executed and downloads another stage payload, a tactic that which makes the attack harder to detect.

“PDF readers typically alert users when a document connects to a website with a ‘remember this action’ pop-up. If users check the box, future URLs within the domain will connect without any prompt. Attackers can abuse this, launching several attacks without users seeing any kind of security warning after they approve redirection in their first notification,” Vamshi said.

Netspoke reported the ‘URL redirection abuse’ to Google on January 10, 2019, and Google responded by saying that the open redirector exists by design.

However, Netspoke researcher suggested that users can detect URL redirection abuse by hovering their mouse over the hyperlink before clicking. Vamshi concluded by saying that enterprises should educate their employees and users to recognize AWS, Azure, and GCP URLs so they can discern malicious sites from legitimate sites.