Hackers Now Exploit Google Sheets To Spread CSV Malware (Feb 5, 2019)
Threat actors have been observed utilising Google Sheets to distribute malware. Researcher Marco Ramilli received a phishing email that bypassed Google's spam filters by using a Google Sheets document, and found "a series of empty fields preceding a final and fake formula piping a CMD.exe command. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution." This then installs a variant of the "NanoCore" Remote Access Trojan (RAT). The malware is able to install itself onto the device whether it is opened in Google Sheets or downloaded and opened locally in Microsoft Excel.
Recommendation: By utilising a Google product, threat actors are able to exploit the fact that Google Drive and Gmail spam filters will not filter out Google-related content. The actors are also taking advantage of individuals tendency to trust Google sheets as being safe. If you receive an invitation to view a Google Sheet document from an unknown user, do not open it or download it. Treat these just as one would treat a normal phishing email containing an attachment or link, and do not open it or accept macros to be enabled.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.