Malware Hosted in Google Sites Sends Data to MySQL Server
(Apr 23, 2019)
An information-stealing malware called, "LoadPCBanker," has been discovered to be hosted on the "Google Sites" platform to build websites according to security researchers. The malware is disguised as a PDF file that holds "guest house reservation information" that is stored in "File Cabinet," a storage space for Google Sites, that the threat actor sends a URL link to potential victims. If a user launches the file, a typosquatted program, "Otlook.exe," is installed to trick the user into thinking it is the legitimate Microsoft Outlook, when it actually functions as an information stealer that steals login credentials, logs keystrokes, record data saved in the clipboard, and take screenshots. The information is then uploaded to a SQL database that is controlled by the threat actor.
Recommendation: Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defence. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.