• About
  • Advertise
  • Careers
  • Contact
Friday, March 31, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security Malware

The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms.

by Cyber360 News
November 11, 2019
in Malware
0
The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms.
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms.

The IT security researchers at Netskope have discovered a sophisticated malware campaign in which cybercriminals are abusing Google App Engine (GCP), a web framework and cloud computing platform to deliver malware via PDF decoys.

According to researchers, the malware campaign is currently targeting financial and government institutions especially banking giants on a global level. The evidence suggests that the mastermind of these attacks is Cobalt Strike, a group of cyber criminals previously known for malware attacks against financial firms.

Hackers abusing Google App Engine to spread PDF malware

Screenshot credit: Netskope

It all started this month when the company witnessed several of its clients from the financial sector receiving emails containing .eml extension files that had the same detection name. Upon digging further, researchers confirmed that the .eml file attachments were triggering detection.

It is noteworthy these files downloaded with Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload. 

“The PDF decoy detected in our customer instances downloaded a word document named ‘Doc102018.doc’ containing obfuscated macro code…On execution, the victim is presented with a message to enable editing and content mode to view the document,” said Netskope researchers in their blog post.

In normal circumstances, PDF readers display a security warning whenever the document is connected to a website, however, “Once remember this action for this site” is checked for a domain, this feature allows any URL within the domain without any prompt especially in this case where the domain is appengine.google.com.

“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely.”

Hackers abusing Google App Engine to spread PDF malware

Screenshot credit: Netskope

Researchers suggest that users should refrain from downloading unknown file attachments from anonymous emails and avoid executing them “unless they are very sure that they are benign.” Moreover, keeping your system updated, use anti-malware solution and scan URLs and files on VirusTotal.

This, however, is not the first time when a Google service has been abused to spread malware. A couple of days ago, researchers identified DarkHydrus phishery tool spreading a new variant of RogueRobin malware to target Middle Eastern politicians by abusing Google Drive.

Last year, HackRead exclusively reported how hackers are using Google Adwords and Google Sites to spread malware with a fake version of Google Chrome browser.

Moreover, in 2017, hackers were also found exploiting Google Search results to distribute Zeus Panda Banking trojan using SEO-malvertising and SERP Poisoning. 

In October last year, researchers identified a strange and infrequent behavior at Googlebot servers where malicious requests were originating from them. After digging further, it was discovered that hackers were using Googlebots in cryptomining malware attacks.

Cyber360 News

Cyber360 News

Next Post
DarkHydrus is back in action with a new variant of RogueRobin malware to target Middle Eastern Politicians by abusing Google Drive.

DarkHydrus is back in action with a new variant of RogueRobin malware to target Middle Eastern Politicians by abusing Google Drive.

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In