It was discovered that the infamous “Cobalt” hacking group has been using Google App Engine to deliver malware as fake PDF documents.
For those who don’t now Cobalt first appeared in 2016. They represent a Russian hacker group which is famous for the cyber attacks against several financial institutions, Russian and Romanian banks. There most famous theft was one of $9.7 million from the Russian MetakkinvestBank.
Today it was announced that the same hackers abused an URL redirection implemented in PDF decoy documents to deliver malware.
In order to gain trust, the infamous group used HTTPS URLs through the Google App Engine.
All the infected PDFs, created with Adobe Acrobat 18.0, are delivered via emails.
The redirection is made possible by an abused present under the category of Unvalidated Redirects and Forwards of the Open Web Application Security Project (OWASP).
Cyber attack modus operandi:
When the URL is accessed, the user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. Then the user is redirected to google.com/url using the query “?continue=”.
Normally in cases of containing malicious links the PDF readers have to display a security warning when the document connects to a website but because the prompt in this case is appengine.google.com, then no warning is displayed because Google is a trusted service.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
During a malware analysis, cybersecurity researchers found that the PDFs downloaded a Microsoft Word document using an obfuscated macro code. Once the obfuscated macro is run another macro is executed and a second stage payload is downloaded.
This second stage payload is a .txt file that is executed with Microsoft Connection Manager Profile Installer (csmtp.exe).
The same researchers found that the recent cyber attacks targeted more than 20 banks, government and financial institutions scattered around the globe.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.