Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle.
The attacker first developed a website using Google Sites. He then used the File Cabinet option to upload and store the malware, and distributed the resulting URL to potential victims. The process, discovered by
Netskope, relies heavily on users' tendency to trust the Google name, together with an apparent failure by Google to block malicious uploads to the File Cabinet.
Within the Cabinet is a RAR archive titled '
Reserva_Manoel_pdf.rar'; and within that is a malicious executable titled 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe'. The latter translates from Portuguese to 'PDF Reservations Details MANOEL CARVALHO guest house details'.
Although Google search does not disclose such a guest house, there is a Manoel Carvalho who plays football for the Brazilian Corinthians team on loan from Cruzeiro -- and the attackers are likely relying on natural curiosity, especially the Brazilian love of football, to tempt visitors into downloading the malware.
The malicious executable, written in Delphi, is disguised as a PDF using a PDF icon with a blue and yellow shield (the colors of the Cruzeiro football team). If this is clicked, it activates a downloader that first creates a hidden folder (clientpc) and downloads the next stage payloads
otlook.exe,
cliente.dll, and
libmySQL50.DLL from a separate file hosting service. The first two are malware, while the third is a mysql library used to send data stolen by LoadPCBanker to the attackers' server.
The downloader deletes all its download URLs from the system's WinINet cache, and runs
otlook.exe. This loads the sql library and
cliente.dll. It operates primarily as spyware, recording screenshots, clipboard data, and keystrokes. Otlook also downloads a file named dblog.log, which contains the encrypted details and credentials for an external sql database used as the exfiltration destination for stolen data.
Interestingly, the attackers only seemed interested in surveilling a specific set of machines. Although Netskope detected 'a lot of infected machine responses', only a few were being actively surveilled. In fact, the attacker was only monitoring 20 infected hosts. Netskope does not disclose the location of the infected victims -- however, the pattern fits with what is known about Brazilian Hackers. The malware is clearly targeted at Portuguese speakers; but the difficulties in money transfers into and out of Brazil make it likely that they are only interested in Brazilian targets and Brazilian banks.
