Malware directs stolen documents to Google Drive
Researchers have uncovered a new type of information-stealing malware that is apparently used in campaigns targeting government agencies and can syphon files from compromised computers to Google Drive.
Dubbed Drigo, the malware uploads Excel, Word, PDF, text and Powerpoint files it finds on the infected computer – including the Recycle Bin – to Google Drive. In order to do this, the malware contains the client_id, the client_secret and a refresh token.
“Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website,” Trend Micro threats analyst Kervin Alintanahin explained in a blog post.
“Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens. We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.”
The researchers managed to get a peek into the Google Drive account in question, and the names of the files they found in there lead them to believe that the attackers targeted mostly government agencies.
In fact, they speculate that this malware has been made specifically for reconnaissance purposes.
“After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” noted Alintanahin.
Google has been notified of the malicious use of this account, and has likely shut it down. But if the malware updates itself by regularly downloading a new configuration file, it’s possible that the attackers need to simply open and designate a new Google Drive account as the destination for the stolen documents.