The Carbanak cyber criminal gang is abusing Google’s infrastructure as a conduit for botnet control.
The gang became notorious when it was blamed for the theft of one billion dollars from more than 100 banks across 30 countries back in 2015. Fast-forward two years and Carbanak is now infecting users via a script that will send and receive commands to and from Google Apps and Google Forms services.
Hackers behind the campaign are procuring legitimate digital certificates via Russian shell corporations in order to mount the ongoing assault, the sophistication of which is above and beyond this commonly encountered in cybercrime campaigns and up closer to the tradecraft employed of nation-state spies.
Forcepoint Security Labs reckons it is likely that it is using Google services because they are allowed by default at many organisations, making it easier for hackers to exfiltrate data and send instructions.
The latest run of attacks features booby-trapped RTF documents containing an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware, as explained in greater depth in a blog post by Forcepoint here.
Trustwave adds that Carbanak’s latest campaign is aimed at the hospitality industry. One (unnamed) restaurant chain with over 1,500 locations, as well as an (also unnamed) luxury hotel chain have already been affected.
Firms in e-commerce and retail are also potentially at risk from the latest attacks, it adds. Trustwave published a 45-page report on he group’s latest antics and summary blog post on Wednesday.
The latest run of attacks follow reports back in August that the Carbanak gang was targeting payment terminal makers, assaults that are increasingly starting to look like phase one of an ambitious series of cyber-heists. ®