An under-the-radar attack that creates fake Google Docs is now playing havoc across multiple sectors in the US and UK, particularly in healthcare. Companies’ increasing reliance on widely-used off-the-shelf external software may save costs and create efficiencies in the short term, but it also offers new inroads for the current generation of increasingly devious and skilled cybercriminals
Cybersecurity firm Netskope has identified a new Google Docs threat in the wild, AZORult infostealer. It is designed to steal sensitive information such as user credentials, browser information, credit card details, and crypto-wallet data. A comprehensive study conducted by Netskope’s research team has uncovered a campaign where an attacker created fake Google Docs pages on Google sites from which to download malicious payloads.
According to the Netskope study, From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites: “They lure their victims to the fake Google Docs pages to trick them into believing the downloaded file was from Google Docs.”
In most cases observed by Netskope in the internet’s wild frontier, the Darknet, the cybercriminals embed a smuggled malicious payload within Javascript, the programming language used by 99 percent of customer-facing websites. The malicious payload is embedded in a separate file hosted on an external website.
This particular attack is especially dangerous as it is extremely hard to detect. Azorult infostealer installs itself stealthily, using reflective code loading, bypassing disk-based detection, and minimizing artifacts. It also uses a bespoke bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.
Google Docs malware attacks are on the rise
What makes this tough-to-detect attack particularly insidious is that it uses the ubiquitous Google Docs software to capture its victims’ data. Designed to allow closed groups of users to read and edit documents, Google Docs has become a ubiquitous office tool in many types of organizations.
Until now, Google Docs has been regarded as a ‘safe’ place to share potentially sensitive documents, including information not intended for public consumption. But while legitimate Google Docs may be relatively secure, most employees or private individuals are unable to distinguish a genuine Google document from a fake. Unfortunately for Google, news of the proliferation of this form of attack comes hard on the heels of Google’s recent AI fiasco, Google Gemini, a product that had been launched prematurely.
Instead of using artificial intelligence to save users time in conducting research or creating original graphics, Google Gemini rarely failed to produce misleading and often hilarious inaccuracies. The most widely reported of these was its insistence that some of the founding fathers were Africans and that most Vikings were black. But while Google has hastily withdrawn the illustrations service from its new AI offering, a growing number of organizations in both the private and public sectors have become increasingly dependent on Google Docs, even in life-saving environments such as hospitals.
“Azorult is on the rise and is currently one of the top malware families that Netskope Threat Labs has observed targeting the healthcare industry over the last year,” warns Netskope.
