A new piece of malware discovered by researchers at Trend Micro is designed to steal files from infected systems and upload them to the file storage and synchronization service Google Drive.
The malware, detected by Trend Micro products as TSPY_DRIGO.A, scans various folders, including Documents and Recycle Bin, in search for document files. The threat looks for text files (.txt), Microsoft Word documents (.doc, .docx), Microsoft Excel spreadsheets (.xls, .xlsx), PDF documents, and Microsoft PowerPoint presentations (.ppt, .pptx).
Once such files are found, TSPY_DRIGO.A uploads them to a Google Drive account.
“In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive,” Trend Micro Threats Analyst Kervin Alintanahin explained in a blog post. “This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.”
Researchers have used this method to gain access to the attackers’ Google Drive account. Based on the files that have already been uploaded, the security firm has determined that the targeted organizations are mostly government agencies. Trend Micro hasn’t shared any specific information due to customer privacy, but the company told SecurityWeek that it has worked closely with the agencies in question on this issue.
The malware appears to be designed to steal only document files. This could indicate that it’s used by the attackers as part of reconnaissance missions.
“This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” Alintanahin said.
Another interesting aspect of TSPY_DRIGO.A is that it has been developed in Go, a programming language created by Google. This isn’t the first piece of malware written in Go, the first threat of this kind being uncovered by Symantec back in September 2012.
While TSPY_DRIGO.A might be the first malware to upload stolen files to Google Drive, this is certainly not the first time the service is abused in cybercriminal operations. In November 2013, Malwarebytes reported that cybercriminals had been using Google Drive to load malicious redirects. Earlier this year, Symantec revealed that the service had been utilized to host phishing pages.