Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Drive Used in Attacks Against Government Agencies

A new piece of malware discovered by researchers at Trend Micro is designed to steal files from infected systems and upload them to the file storage and synchronization service Google Drive.

A new piece of malware discovered by researchers at Trend Micro is designed to steal files from infected systems and upload them to the file storage and synchronization service Google Drive.

The malware, detected by Trend Micro products as TSPY_DRIGO.A, scans various folders, including Documents and Recycle Bin, in search for document files. The threat looks for text files (.txt), Microsoft Word documents (.doc, .docx), Microsoft Excel spreadsheets (.xls, .xlsx), PDF documents, and Microsoft PowerPoint presentations (.ppt, .pptx).

Once such files are found, TSPY_DRIGO.A uploads them to a Google Drive account.

“In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive,” Trend Micro Threats Analyst Kervin Alintanahin explained in a blog post. “This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.”

Researchers have used this method to gain access to the attackers’ Google Drive account. Based on the files that have already been uploaded, the security firm has determined that the targeted organizations are mostly government agencies. Trend Micro hasn’t shared any specific information due to customer privacy, but the company told SecurityWeek that it has worked closely with the agencies in question on this issue.

The malware appears to be designed to steal only document files. This could indicate that it’s used by the attackers as part of reconnaissance missions.

“This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” Alintanahin said.

Another interesting aspect of TSPY_DRIGO.A is that it has been developed in Go, a programming language created by Google. This isn’t the first piece of malware written in Go, the first threat of this kind being uncovered by Symantec back in September 2012.

While TSPY_DRIGO.A might be the first malware to upload stolen files to Google Drive, this is certainly not the first time the service is abused in cybercriminal operations. In November 2013, Malwarebytes reported that cybercriminals had been using Google Drive to load malicious redirects. Earlier this year, Symantec revealed that the service had been utilized to host phishing pages.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.