Antivirus company Symantec has detected a new malicious software using Google Docs, which has become part of Google Drive, as an intermediary for communication with the attack. This approach allows to hide malicious traffic.
New malicious code is included in the family Backdoor.Makadocs and uses the Google Docs Viewer to act as a proxy server to receive instructions from the real command server. Google Docs Viewer was originally created to display the different types of files from remote addresses directly in the operating window Google Docs. “Violating the policy of using Google, Backdoor.Makadocs uses the Viewer to access the C & C-server”, – says Symantec antivirus specialist Takashi Katsuk.
It is possible that the malware author has used this approach to complicate the detection of malicious code from antivirus software, as Google Drive defaults to HTTPS-protected connections, and most of the system analizitorov programmed to recognize Google as a trusted service.
In Google also confirmed that such use violates the terms of work.
Backdoor.Makadocs spreads via RTF or DOC files, but it does not use system vulnerabilities to invade the victim computer, it runs on a method of social engineering, trying to entice the user to open the actual malicious code and run it in the system. Like most other backdoors, after infection the code includes a computer in the botnet to work in the interests of the operators.
Katsuko says that the code has been found yet another interesting aspect: it contains an element for detecting Windows Server 2012 or Windows 8, which indicates that it is the interest of hackers to new systems.