Carbanak Cybercrime Group Uses Public Google Services to Control Malware Operations

Cybercrime gangs are becoming bolder at every turn. The Carbanak group is back after a brief absence, and they are now using cloud servers to operate their command-and-control servers. To be more precise, the group employs Google’s servers to distribute and control its malware. A brash move that goes to show cyber criminals aren’t afraid of anything.

Carbanak Returns With A Bang

Forcepoint Security Labs researchers announced that they have spotted new activity linked to the Carbanak crime gang. This particular group of criminals is responsible for hacking and stealing funds from various financial institutions throughout the course of 2015. By using highly sophisticated malware, the group was able to infiltrate computer networks and conduct their business without being caught.

Damages done by the Carbanak group are estimated to top US$1bn. This notorious group of criminals stole the funds over the course of two years by integrating close to 100 banks in several dozen countries. In most cases, they targeted bank employees with spear phishing campaigns. Primary targets include Russian, Danish, and American financial institutions. None of the money stolen during these attacks was ever recovered.




As of 2017, the Carbanak group is back with a vengeance, and they have a new trick up their sleeve. It turns out they use Google’s Apps Script, Sheets, and Forms cloud-based services. All of these platforms are used to control their command-and-control operations related to the new type of malware being spread. The objective remains unchanged, defrauding banks and customers whenever they can.

The malware is being deployed through an RTF document containing an encoded Visual Basic script. Once a user is infected, the information will be sent back to the C&C server, which then makes a separate spreadsheet tab for each victim.In doing so, the Carbanak group uses a free tool to maintain a virtual “trophy hall” of victims, so to speak.

While most cybercrime gangs tend to lurk in the hidden corners of the internet, Carbanak is taking a very different approach. In fact, they are hiding in plain sight, and use one of the world’s largest technology companies’ public services. Google has been notified of this incident, but for now, no resolution has been offered yet.

One thing of particular concern is how using Google’s services will benefit their command-and-control server operations. New domains, or domains without any reputation, are less likely to be visited by recipients of the spear phishing emails. Google, on the other hand, is a household brand most people are all too familiar with. We can only hope the technology giant takes the necessary actions sooner rather than later.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Leave a Reply