A new malware using Google App Engine to create malicious PDF files

Cobalt Strike malicious hackers group is abusing Google App Engine to distribute malware embedded in PDF documents

Network security and ethical hacking specialists from the International Institute of Cyber Security reported the emergence of a complex campaign of malware attacks in which hackers exploit Google App Engine, a cloud computing platform, to deploy malware using specially crafted PDF files.

The main targets of this campaign are government and financial institutions, especially banks with worldwide presence, as mentioned in the research. From the evidence collected so far, researchers believe that the Cobalt Strike hacking group is behind these attacks.

At the beginning of 2019, multiple organizations began receiving similar emails with .eml extension attachments. By investigating this trend, network security specialists were able to confirm that these attachments were activating enterprise detection systems.

“The PDF file detected in these organizations downloads a Word document (Doc102018.doc) with a confusing macro code. During execution, the victim finds a message to enable the document edit mode”.

The PDF reader regularly displays a security warning when a file is linked to a website. However, once this action is recalled for this site, any URLs within this domain are allowed to be chained without showing any notice.

“This attack is much more effective because it shows a Google App Engine URL to redirect the victim to the malicious website. Because the payload seems to come from a reliable source, users are more likely to fall into the trap”.

Experts recommend users not to download attachments from unknown sources, especially if they are in emails of dubious provenance. It is also recommended to keep all systems updated and implement the antimalware solution that best suits users.

This is not the first time that malicious hackers take advantage of a Google service to distribute harmful software. Recently it was discovered on the Internet the tool DarkHydrus, used to distribute the malware RogueRobin through Google Drive. 

In addition, multiple reports of network security specialists mention the use of Google Sites and Adwords platforms to distribute malware using a spoofed version of the Chrome browser. There is also evidence to confirm that malicious hackers are able to use Google search results to distribute malware variants using Search Engine Optimization (SEO) poisoning and malvertising campaigns.