- The malware is used against victims who speak Portuguese or English.
- The attack begins with victims receiving phishing emails about a hotel reservation or confirmation.
Cybercriminals are deploying a banking trojan using the file cabinet template built into the Google Sites platform. The malware, dubbed as LoadPCBanker, is used against victims who speak Portuguese or English.
How is the trojan deployed – Security researchers at Netskope discovered that the attackers are leveraging drive-by-download attack to achieve their ultimate goal.
In this campaign, the threat actors first create a new website using Google Sites and then insert payload through the file cabinet template. In the final stage, the malicious URL is sent to potential targets.
How does the attack work – The attack begins with victims receiving phishing emails about a hotel reservation or confirmation. The email includes a link to the malicious site on Google Sites platform.
If a recipient clicks on the link, a file is downloaded that looks like a PDF file. The PDF file is actually the malware disguised as a guesthouse or hotel reservation.
Once the LoadPCBanker is installed, it collects several sensitive data from a victim’s machine. This includes capturing screenshots, stealing clipboard data and recording keystrokes. The malware sends the collected data to a MySQL server controlled by the attackers.
The malware can also steal information about the infected machine.
“During our analysis, we identified that the threat actor was particularly interested in surveilling a specific set of machines and capturing screenshots of the victims’ machines that were compromised from this attack. We derived this because we noticed a lot of infected machine responses, but only a few were being actively surveilled. At the time of writing, the threat actor was actively monitoring 20 infected hosts,” Netskope’s Ashwin Vamshi wrote in a blog post.
The bottom line – Researchers claim that similar malware has been around since early 2014. However, the latest wave of attacks has been ongoing since February 2019. It is unclear if the same group is behind the latest attacks or the source code was shared with other threat actors.