Skip to main content

Attackers rely on Google Sheets to spread malware through CSV files



 
  • The malware appears to be a variant of the infamous NanoCore trojan.
CSV files containing the malware payload circumvent Google filters using Google Sheets as a distribution method.
A unique malware that uses Google Sheets has been discovered by well-known cyber security researcher Marco Ramili. The malware is found to be an improved version of the NanoCore RAT detected in 2014. It seems that attackers write malicious code in the cells of CSV files to automatically inject the system with the malware.
Ramili who received a spam mail containing this CSV file, mentioned that one of the cells had an executable command. “A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution,” he said.
Google Sheets as a malware vector
Earlier, attackers relied on desktop applications such as Microsoft Excel, LibreOffice and Apache OpenOffice due to the reason that they supported Dynamic Data Exchange (DDE). This feature/bug was the main exploit for threat actors. OpenOffice and LibreOffice patched this vulnerability in versions 4.1.1 and 4.3.1 respectively.
In case of files shared through Google Sheets, normal users are likely to consider the file trustworthy, thus exposing themselves to the malware lying in the file if they download and open it locally with Excel.
Modus Operandi
The attackers bypass Google security filters by injecting malicious code in CSV files which are not heavily scanned by Google. Then they share this file with unsuspecting users, asking them to download and open it Microsoft Excel, citing compatibility issues.
Many users fall for this trick and download the file to open it locally on their device. Thus, Google Sheets acts as a malware dropper. As soon as they open it locally, Microsoft Excel becomes the malware executor.
Though the issue has been reported to Google by the security researcher, it has not been considered as a security bug by the company.


Global Locations

  • Block A, A-25, Second Floor, Sector 3
    Noida, Uttar Pradesh    +91-120 429 1672+91 931 991 8771
Labels:

Comments

Post a Comment

Popular posts from this blog

Tr0ll 1.0 – Vulnhub CTF Challenge Walkthrough

  Tr0ll 1.0 is an intentionally vulnerable machine, which is more of a   CTF  like type than real world scenario. Nevertheless, this machine has its own difficulties and you can learn some new stuff from it. So, let’s start. Enumeration Phase Let’s first run  netdiscover  to find the IP of our machine. netdiscover -r 192.168.1.1/24 After that, we run our typical  nmap  scan to see the open ports in the machine. nmap -A -sS -Pn -vv [target] Great we see many interesting stuff here. First of all, there is an open  FTP  port and we can connect to it with  anonymous access .  Also there is an open  http  port, we will run a nikto scan for it. The  ssh  port will be valuable later. From the nikto scan we got an interesting  /secret/  folder. When we get inside, we can understand why the machine got this name. Nothing interesting here, as you can see. we got trolled Let’s connect to the ftp server. When we get asked for the username we type ‘ anonymous ‘ and we l
Post a Comment
Read more

Digital Marketing Services in noida

Red Securium Company Provide Digital Marketing Service In Noida Strengthen your brand positioning, awareness, revenue objectives and market share with our custom-built digital marketing services to suit their business needs. Get easily accessible to your target audience on mobiles and social networking sites across different platforms. Our cross-functional digital marketing experts offer end-to-end digital marketing solutions that are in step with your business's goals and policies. Our targeted digital marketing campaigns are custom-structured for helping you in strengthening your brand positioning, awareness, revenue objectives and market share. Digital Marketing Services  Digital Marketing Service  Social Network Marketing Service Seo Services Marketing  PPC Marketing Service  Social Media Marketing Sales Generation Services  Mobile Marketing Service  Content Marketing Service Event Marketing Service  Video Marketing Service Video Lo
7 comments
Read more

Uber fined $1.1 million by UK and Dutch regulators over 2016 data breach

British and Dutch data protection regulators Tuesday hit the ride-sharing company Uber with a total fine of $1,170,892 (~ 1.1 million) for failing to protect its customers’ personal information during a 2016 cyber attack involving millions of users. Late last year, Uber unveiled that the company had suffered a  massive data breach  in October 2016, exposing names, email addresses and phone numbers of 57 million Uber riders and drivers along with driving license numbers of around 600,000 drivers. Besides this, it was also reported that instead of disclosing the breach at the time, the company  paid $100,000 in ransom  to the two hackers with access to the stolen data in exchange for keeping the incident secret and deleting the information. Today Britain’s Information Commissioner’s Office (ICO)  fined  Uber 385,000 pounds ($491,102), while the Dutch Data Protection Authority (Dutch DPA)  levied  a 600,000 euro ($679,790) penalty on Uber for failing to protect the personal informa
2 comments
Read more