Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Banking Trojan Drive-by Download Leverages Trust in Google Sites

Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle.

Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle.

The attacker first developed a website using Google Sites. He then used the File Cabinet option to upload and store the malware, and distributed the resulting URL to potential victims. The process, discovered by Netskope, relies heavily on users’ tendency to trust the Google name, together with an apparent failure by Google to block malicious uploads to the File Cabinet.

Within the Cabinet is a RAR archive titled ‘Reserva_Manoel_pdf.rar‘; and within that is a malicious executable titled ‘PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe’. The latter translates from Portuguese to ‘PDF Reservations Details MANOEL CARVALHO guest house details’.

Although Google search does not disclose such a guest house, there is a Manoel Carvalho who plays football for the Brazilian Corinthians team on loan from Cruzeiro — and the attackers are likely relying on natural curiosity, especially the Brazilian love of football, to tempt visitors into downloading the malware.

The malicious executable, written in Delphi, is disguised as a PDF using a PDF icon with a blue and yellow shield (the colors of the Cruzeiro football team). If this is clicked, it activates a downloader that first creates a hidden folder (clientpc) and downloads the next stage payloads otlook.exe, cliente.dll, and libmySQL50.DLL from a separate file hosting service. The first two are malware, while the third is a mysql library used to send data stolen by LoadPCBanker to the attackers’ server.

The downloader deletes all its download URLs from the system’s WinINet cache, and runs otlook.exe. This loads the sql library and cliente.dll. It operates primarily as spyware, recording screenshots, clipboard data, and keystrokes. Otlook also downloads a file named dblog.log, which contains the encrypted details and credentials for an external sql database used as the exfiltration destination for stolen data. 

Interestingly, the attackers only seemed interested in surveilling a specific set of machines. Although Netskope detected ‘a lot of infected machine responses’, only a few were being actively surveilled. In fact, the attacker was only monitoring 20 infected hosts. Netskope does not disclose the location of the infected victims — however, the pattern fits with what is known about Brazilian Hackers. The malware is clearly targeted at Portuguese speakers; but the difficulties in money transfers into and out of Brazil make it likely that they are only interested in Brazilian targets and Brazilian banks.

Earlier this month, Recorded Future published an analysis of Brazilian hackers and hacking. It noted that in general, the Brazilian hacker is very insular: Brazilian bank fraud is primarily targeted against Brazilian banks. The reason is very strict financial controls. “The processing of international payment orders,” it wrote, “is treated as a currency exchange transaction. As such, additional controls against money laundering and tax evasion are applied, making moving money across country borders harder.”

Netskope believes that similar malware has been around since early 2014, and the current campaign has been active since February 2019. It doesn’t know whether it is the same actor, or whether the source code has been shared and reused. 

Contacted by SecurityWeek, Google issues the following statement in response to the Netskope report: “Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chrome’s Safe Browsing filters.”

*Updated with comment from Google

Related: Ongoing Campaign Delivers Redaman Banking Trojan 

Related: Popular Banking Trojans Share Loaders

Related: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce 

Related: Targeted FlokiBot Attacks Hit PoS Systems in Brazil

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.