Carbanak using Google services to control its malware

Google Apps Script, Google Sheets, and Google Forms services are used as C&C.

Carbanak, a powerful cyber-crime group, is using certain Google services as Command & Control for its malware and other malicious elements. The news was released by cybersecurity firm Forcepoint, this Tuesday.

Forcepoint came across a trojanised RTF document, which it managed to tie to the Carbanak group. Once ran it will, according to Forcepoint, "send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services”. 

Each infected user gets a unique Google Sheets spreadsheet, allowing the attackers to ‘manage’ each victim. This approach allows the group two key advantages: one – it allows them to hide in plain sight, and two – it’s highly unlikely that organisations will be blocking Google services by default, meaning the C&C can be set up successfully.

Forcepoint said it doesn’t know how many of these C&C channels were open, but it did notify Google. 

“The Carbanak actors continue to look for stealth techniques to evade detection,” Forcepoint said in its report. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.”

Carbanak was previously known for stealing up to a billion dollars, from more than 100 banks in 30 countries. The robbery was revealed in 2015.

Photo Credit: andriano.cz/Shutterstock