Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Drive Used in Attacks Against Government Agencies

A new piece of malware discovered by researchers at Trend Micro is designed to steal files from infected systems and upload them to the file storage and synchronization service Google Drive.

A new piece of malware discovered by researchers at Trend Micro is designed to steal files from infected systems and upload them to the file storage and synchronization service Google Drive.

The malware, detected by Trend Micro products as TSPY_DRIGO.A, scans various folders, including Documents and Recycle Bin, in search for document files. The threat looks for text files (.txt), Microsoft Word documents (.doc, .docx), Microsoft Excel spreadsheets (.xls, .xlsx), PDF documents, and Microsoft PowerPoint presentations (.ppt, .pptx).

Once such files are found, TSPY_DRIGO.A uploads them to a Google Drive account.

“In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive,” Trend Micro Threats Analyst Kervin Alintanahin explained in a blog post. “This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.”

Researchers have used this method to gain access to the attackers’ Google Drive account. Based on the files that have already been uploaded, the security firm has determined that the targeted organizations are mostly government agencies. Trend Micro hasn’t shared any specific information due to customer privacy, but the company told SecurityWeek that it has worked closely with the agencies in question on this issue.

The malware appears to be designed to steal only document files. This could indicate that it’s used by the attackers as part of reconnaissance missions.

“This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” Alintanahin said.

Another interesting aspect of TSPY_DRIGO.A is that it has been developed in Go, a programming language created by Google. This isn’t the first piece of malware written in Go, the first threat of this kind being uncovered by Symantec back in September 2012.

Advertisement. Scroll to continue reading.

While TSPY_DRIGO.A might be the first malware to upload stolen files to Google Drive, this is certainly not the first time the service is abused in cybercriminal operations. In November 2013, Malwarebytes reported that cybercriminals had been using Google Drive to load malicious redirects. Earlier this year, Symantec revealed that the service had been utilized to host phishing pages.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.