{ "id": "1a09a473-de07-4908-bd99-c6313b3d31ed", "created_at": "2026-04-06T00:15:48.868917Z", "updated_at": "2026-04-10T13:12:41.570314Z", "deleted_at": null, "sha1_hash": "e1db2196ab704524b98e7706ce3566a9e030051e", "title": "Carbanak Group uses Google for malware command-and-control", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179039, "plain_text": "Carbanak Group uses Google for malware command-and-control\r\nPublished: 2017-01-17 · Archived: 2026-04-05 20:37:13 UTC\r\nForcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank\r\ncriminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak\r\nmalware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C\u0026C) communication. We have notified Google of the abuse and are working with them to share\r\nadditional information.\r\nCarbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors\r\ntypically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign\r\ndubbed \"Digital Plagiarist\" was exposed where the group used weaponized office documents hosted on mirrored\r\ndomains, in order to distribute malware.\r\nWeaponized document\r\nThe RTF document we analyzed (SHA1 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d) has an\r\nembedded OLE object which contains a VBScript file. When the document is opened the targeted user is lured\r\ninto double-clicking on the embedded OLE object which is disguised as an image:\r\nhttps://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nPage 1 of 5\n\nDouble clicking on the image results in a file open dialog for \"unprotected.vbe\". If the user executes this file then\r\nthe VBScript malware will begin to execute.\r\nEncoded VBScript malware\r\nThe VBScript malware inside the RTF document (SHA1 cd75662751c59951717b4704ea2cdb6fb7ec19bc) is an\r\nencoded VBScript file. We decoded the script and found hallmarks typical of the Carbanak group's VBScript\r\nmalware, however we also found the addition of a new \"ggldr\" script module.\r\nThe module is base64 encoded inside the main VBScript file along with various other VBScript modules used by\r\nthe malware. When we analyzed the script we noticed that it is capable of using Google services as a C\u0026C\r\nchannel.\r\nAbusing Google for C\u0026C communication\r\nThe \"ggldr\" script will send and receive commands to and from Google Apps Script, Google Sheets, and Google\r\nForms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to\r\nhttps://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nPage 2 of 5\n\nmanage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in\r\nplain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more\r\nlikely that the attacker will establish a C\u0026C channel successfully.\r\nThe C\u0026C procedure is outlined in the diagram below.\r\nUpon the first attempt to contact the hard-coded Google Apps Script URL with the user's unique infection ID, the\r\nC\u0026C will state that no spreadsheet currently exists for the user. The malware will then send two requests to\r\nanother hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and\r\nGoogle Form IDs for the victim.\r\nThe second time the Google Apps Script is requested, the C\u0026C will return the unique Google Sheet and Google\r\nForm ID values:\r\nhttps://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nPage 3 of 5\n\nThe \"entry\" value is also a unique ID which is sent with each subsequent Google Forms C\u0026C request.\r\nProtection statement\r\nForcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:\r\nStage 5 (Dropper File) - The malware components are prevented from being downloaded and/or executed.\r\nStage 6 (Call Home) - The HTTP-based Carbanak C\u0026C traffic is blocked.\r\nSummary\r\nThe Carbanak actors continue to look for stealth techniques to evade detection. Using Google as an independent\r\nC\u0026C channel is likely to be more successful than using newly created domains or domains with no reputation.\r\nForcepoint will continue to monitor this group's activities and share data with trusted partners.\r\nIndicators of Compromise\r\nCarbanak Documents\r\n1ec48e5c0b88f4f850facc718bbdec9200e4bd2d (3-ThompsonDan.rtf)\r\n400f02249ba29a19ad261373e6ff3488646e95fb (order.docx)\r\n88f9bf3d6e767f1d324632b998051f4730f011c3 (claim.rtf)\r\nCarbanak Google Apps Script C\u0026Cs\r\nhxxps://script.google[.]com/macros/s/AKfycbzuykcvX7j3TlBNyQfxtB1mqii31b4VTON640yiRJT0t6rS4s4/exec\r\nhxxps://script.google[.]com/macros/s/AKfycbxxx5DHr0F8AYhLuDjnp7kGNELq6g27J4c_JWWx1p1nDfZh6InO/exec\r\nhxxps://script.google[.]com/macros/s/AKfycbwZHCgg5EsCiPup_mNxDbSX7k7yBMeXWenOVN1BWXHmyBpb8ng/exec\r\nCarbanak Google Forms C\u0026Cs\r\nhxxps://docs.google[.]com/forms/d/e/1FAIpQLScx9gwNadC7Vjo11mXLbU3aBQRrqVpoWjmNJ1ZneqpjaYLE3g/formResp\r\nhxxps://docs.google[.]com/forms/d/e/1FAIpQLSfE9kshYBFSDAfRclW8m9rAdajqoYhzhEYmEAgZexE3LQ-17A/formResp\r\nhxxps://docs.google[.]com/forms/d/e/1FAIpQLSdcdE7lTEiqV5MW3Up8Hgcy5NGkIKnLKoe0YPFriD4_9qYq9A/formResp\r\nCarbanak C\u0026Cs\r\nhxxp://atlantis-bahamas[.]com/css/informs.jsp\r\nhxxp://138[.]201[.]44[.]4/informs.jsp\r\nCarbanak Cobalt Strike / Meterpreter DNS Beacon C\u0026Cs\r\nhttps://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nPage 4 of 5\n\naaa.stage.15594901.en.onokder[.]com\r\naaa.stage.4710846.ns3.kiposerd[.]com\r\nSource: https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nhttps://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control" ], "report_names": [ "carbanak-group-uses-google-malware-command-and-control" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434548, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1db2196ab704524b98e7706ce3566a9e030051e.pdf", "text": "https://archive.orkl.eu/e1db2196ab704524b98e7706ce3566a9e030051e.txt", "img": "https://archive.orkl.eu/e1db2196ab704524b98e7706ce3566a9e030051e.jpg" } }