Cookie Maker: Inside the Google Docs Malicious Network

In the summer of 2018 it was discovered that Google documents with an access policy based on a specific link can be inadvertently indexed by search robots if those robots become aware of such links. As a result, the internal documents of a number of organizations became public. In one case, a document containing a summary of hiring policies in a Russian bank caught the attention of human rights activists. Among other things, it documented a policy prohibiting the hiring of certain groups of people based on their religion or sexual orientation.

There were also a lot of documents revealed that contained passwords in clear text. The problem was made worse because these documents could easily be found by using the key word “password” in the Google Documents domain. Now, before you rush to delve into other people's secrets, you might want to wait--at least until you finish reading this article. J Things aren’t always what they seem.

When the FortiGuard Labs team heard of this issue, we conducted a search just to see if any of Fortinet’s internal documents had been exposed. They were not. The only thing we discovered were the default passwords for Fortinet devices (these are the same passwords provided in our documentation, which are not secret).

Nevertheless, our search was not in vain because we also found something interesting. Here are the search results for the keyword “Fortiguard”:

168 results were found by Google in that search. (Interesting observation: the number of results produced by a Google search actually varies based on the country to which your IP belongs.) Among the 168 results just cited, more than 150 actually (more than 90%!) led to documents crafted by criminal actors. (So much for hurrying to look at “private” documents!)

About another 750 malicious results were found by searching with the keyword “Fortinet”. You can find links to some of the documents we discovered listed in the appendix. The reason this is a shorter list than what was mentioned is due to the fact that multiple search results led to the same documents. As we investigate this further you will understand how criminal actors managed to achieve these results.

Moreover, Fortinet’s situation is not unique. We learned that if we Googled the name of any major player in the cybersecurity market that we would stumble upon a hundred or more malicious documents. That’s when we realized that we are dealing with a campaign that includes thousands of malicious documents that have been inserted all over Google Docs.

We analyzed a number of these malicious documents and concluded that they were written in different languages, though primarily in English and Russian. Despite language differences, these documents all have a common structure. There is a large header, then a small random screenshot not necessarily related to the header, and then a hyperlink that is also written in a large font. In the figure below, you can see several examples of such documents. 

Below the hyperlink there is a lot of empty space that was specifically inserted to hide “rubbish text” inserted at the bottom of the document. However, this “rubbish text” serves the purpose of luring a Google crawler into indexing the document using the variety of different keywords the text includes. This explains why so many Google results lead to the much fewer final number of actual Google documents, because multiple links direct a user to the same document. 

If a victim clicks the hyperlink in the malicious document, a chain of redirects occurs. The destination is chosen based on the user-agent field of the “GET” request, as well as country of the victim's IP.

In this section we analyze the redirection chains generated by clicking the hyperlink of the document with the header “Fortiguard web filtering bypass software free download”. This document is shown in the upper left corner of the Figure 2. These results are similar to the links found on any of the documents.

First, we’ll list the overview redirection chain for Singapore’s VPN IP (our location) and the User-Agent corresponding to Google Chrome (our browser):

1. hxxp://vbtrst[.]pro/dnew?k=Fortiguard+web+filtering+bypass+software+free+download
2. hxxp://sxkwor[.]space/rtb/s/APEN2FuhOAAA4dsBAFNHGQASAGmZEJMA
3. hxxp://11fileupload-2[.]xyz/it…fA==
4. hxxp://static.21.101.69.159.clients.your-server[.]de/file?f=ae…05&utm_source=APEN2FuhOAAA4dsBAFNHGQASAGmZEJMA&utm_medium=14497&utm_campaign=default
5. hxxps://thimbleprojects[.]org/dedzsumkoi/528138/?method=blob&type=download&name=Rm9ydGlndWFyZF93ZWJfZmlsdGVyaW5nX2J5cGFzc19zb2Z0d2FyZV9mcmVlX2Rvd24ucmFy&v=
   eyJ0cmFuc2FjdGlvbl9pZCI6IjU0ODAyMjI1NiIsInRva2VuIjoiOWM0MDVmOTIwYTdhYTI2ODE0MzdkMjRkZGRhNTM2YTUifQ%3D%3D
6. hxxps://4requests[.]org/findic.php?v=eyJ0cmFuc2FjdGlvbl9pZCI6IjU0ODAyMjI1NiIsInRva2VuIjoiOWM0MDVmOTIwYTdhYTI2ODE0MzdkMjRkZGRhNTM2YTUifQ=="

Next, let’s analyze the unusual parameters used in each of these URLs:

1. hxxp://vbtrst[.]pro/dnew?k=Fortiguard+web+filtering+bypass+software+free+download
   The purpose of this first link’s parameter is obvious – it simply repeats the header of the document.
2. hxxp://sxkwor[.]space/rtb/s/APEN2FuhOAAA4dsBAFNHGQASAGmZEJMA
   The parameter of the second URL is a BASE64 encoded set of bytes.

• The first six bytes of the set is an UNIX Epoch timestamp in Little-endian byte order, shown in green on the picture below. 
• The next two bytes are “utm_medium number” in little-endian byte order, shown in yellow.
  We’ll show you how this field is used later on in this analysis.
• The thirteenth and fourteenth bytes (0-based count), shown in red, are a country code in ASCII encoding (big-endian byte order this time). When we tried different IPs we got different results for this field. Two different cases for Russian and Singapore IPs are depicted below.

Fortiguard_web_filtering_bypass_software_free_down.rar

Inside the archive there was also a malicious PE file, which we will discuss in the Windows Samples Analysis section.

As was mentioned earlier, the redirection chain is heavily dependent on the User-Agent field of the victim (we will use the abbreviation “UA” from here on for brevity). 

When we used the UA corresponding to IE11, we got the next chain of domains used:

Vbtrst[.]pro -> sxkwor[.]space -> 11fileupload-2[.]xyz -> static.21.101.69.159.clients.your-server[.]de

Yes, this chain looks very similar to the previous-one, except it was shortened. Here, the static.21.101.69.159.clients.your-server[.]de gives away malicious samples without additional “hops” to the thimbleprojects.org and 4requests[.]org. Our guess is that these additional redirections are used in an attempt to protect static.21.101.69.159.clients.your-server[.]de from being blacklisted by the Google Safe Browsing technology. 

When we used UAs corresponding to mobile devices or MacOS, we got two new chains of redirects. In the end of each chain, we got corresponding .APK or .DMG file. These files will be discussed in the separate chapter of this investigation.

During our tests using different IPs and User-Agent fields, we obtained a dozen different samples, all of them targeting the Windows platform. In this section, we will discuss the tricks used by these criminals in an attempt to avoid detection by antivirus vendors.

Although all studied samples share the same behaviors, they have a wide variety of different – and sometimes contradictory – internal structures. For example, one of the samples has the FileDescription field specified as “MODJO Internet Security”. Interestingly, this same sample also has a manifest where the description field is already specified as “Installs Adobe Flash Player”. 

To make things even more complicated, the same sample uses an icon that is very similar to the logo of the VK.com – a popular social network in Russian speaking countries.

Regarding the name “MODJO Internet Security” – we noticed that the last letter is changed from time to time. We were able to find the samples with following names:

                MODJO Internet Security

                MODJA Internet Security

                MODJB Internet Security

Another point of difference between the samples is the .RSRC section. Diversity is achieved through the use of various .png images packed inside. The number and size of these images differs significantly from sample to sample, although none of these images are ever shown to the victim.

So, why the samples different and inconsistent in so many ways? We cannot answer this question for sure, but our guess is that all parts of the samples are chaotically changed to avoid probable detection.

Although the samples have different internal structures, their behaviour is exactly the same. The communication between a malicious sample and its C2 server is shown on the figure below. We can see that the sample is sending a POST request to the C2 server. The C2 is also located on your-server.de hosting, like one of the redirection nodes we studied earlier. But, the C2 and redirection nodes uses different IPs.

The key shown on the figure:

The key shown on the figure was the same for every Windows sample studied, though that may depend on the original Google Document.

Upon receiving a response from the server, the sample tries to download and execute the web-installer of a legitimate third-party application GetGo Download Manager. Upon successful execution (or after several failed attempts), the sample then deletes itself.

We think that the purpose of the criminals who designed this was to abuse the referral programs of legitimate applications. When a referral program is involved, some sort of referral field is usually used to distinguish one referral from another. However, this is not the case in this instance: the request does not use a referral field, nor is the accessed URL any different from the URL a user obtains from the main Getgosoft page.

A distinctive feature of this query is the User-Agent field used:

                User-Agent: Medunja Solodunnja 6.0.0

Please take a note of the name used: we will come back to it later.

Another distinctive feature of this malicious campaign is that samples are compiled and signed “on the fly.” We compared the TimeStamp field inside the PE header of the samples and the actual time of the download. The difference between the two was not to exceed 5 minutes. Moreover, every sample is signed by the same valid digital signature at the moment it was downloaded.

We analyzed the certificates used to generate signatures and all of them were issued by the COMODO RSA Code Signing CA. Here are the certificates we encountered during our investigation:

We do not know how these criminals obtained these certificates. However, the names of the organizations look rather strange: they contain commas and dashes in the middle of the string. We would not be surprised if these certificates were not stolen, but rather, registered by the criminals right from the beginning. If that was the case, then it raises questions about what verification process is currently being used by Certification Authorities to ensure that a certificate requester is a legitimate company.

When we analysed the samples from this malware campaign, we also spotted some interesting results produced by Microsoft’s popular tool Sigcheck. For some reason, the samples discussed in this article utility (up to the latest 2.7 version) report the current system time instead of the signing time.

The same strange results were reported by the popular service VirusTotal. For example, on the picture below you can see that the last analysis of the sample was at 2018-11-14 14:05:19 GMT, but according to VT it was signed on 2018-11-14 15:05:00 (one hour ahead of the actual GMT time 😊)

FortiGuard labs reported the found bugs to the VirusTotal and Sysinternals teams. Mark Russinovich is already preparing a new version of the Sigcheck. VirusTotal confirms that they rely on the Sigcheck utility analysis when processing samples in their system and they are currently awaiting a new version of Sigcheck.

Let’s summarize some facts that we uncovered about these attackers during our analysis:

• The two most popular languages of the malicious documents are: English and Russian. If you look closely at Figure 3, you may notice the use of the Russian language in the second line from the top.
• The project name used by the criminals to abuse thimbleprojects[.]org is dedzsumkoi.
  Dedzsumkoi is a transliteration of the Russian word “Дед с сумкой”. This literally translates to: “Grandfather with a bag”.
• The criminals used the logo of VK.com – a popular social network in the Russian speaking countries.
• The User-Agent used by the criminals is “Medunja Solodunnja 6.0.0”
  Medunja Solodunnja is a transliteration of the Russian words “Медуня-солодуня”, which is a local cookie maker located near Lviv Ukraine. 

Summing up, we conclude that the criminals involved in this project are fluent in Russian, and they are possibly familiar the local cookie maker located near Lviv Ukraine, which gives us a strong possibility for their location.

When we analyzed the registration data for the domains used by the attackers, we found that almost all of the domain registration data is protected by services like WhoisGuard. The domain 4requests[.]org is no exception - currently all its registration data is hidden. But when we checked the whois history for this domain, we found that it was initially registered for an address … in Lviv Ukraine.

We cannot verify that the provided registrant data is not fake, but it does align with our other findings quite well. We checked the other domains registered under email egonow999[@]gmail.com and found 321 of them. Most of these domains were registered recently, and their names do not look as if they are intended to be used for any legitimate activity. 

FortiGuard Labs discovered a massive malicious Google Docs campaign which includes hundreds of malicious documents. Every malicious document leads to q chain of redirects based on victim’s User-Agent and IP.

We analyzed many of the redirection chains used inside this malicious network, as well as downloaded several samples. We concluded that the current goal of this network is to abuse the partner programs of other applications. However, this objective can be easily changed at any moment.

In addition, we analyzed the attribution details and got some ideas as to who might be behind these attacks, or at least, where these attacks might be originating from.

Android and MacOS samples will be discussed in upcoming articles. FortiGuard Labs will continue to monitor newly registered domains for malicious activity.

FortiGuard Web Filter blocks all of the discussed URLs and domains as malicious.

All discussed samples are detected with the following AV signature name:

                W32/Kryptik.GLKH!tr

Malicious User-Agent requests are blocked with the following IPS rule:

                ICLoader.Botnet

-=FortiGuard Lion Team=-

Certificates used by the criminals (all issued by COMODO RSA Code Signing CA):

11fileupload-2[.]xyz

4requests[.]org

addingmac[.]com

bigbinnd[.]info

bo2rzx9xhf[.]com

celebration-staff[.]com

g64cfg9yi6kx[.]com

grotmr[.]info

gurtn[.]mobi

letsweb[.]info

mtpint[.]mobi

prkrls[.]info

ptokp[.]pro

rplug[.]pro

rtrust[.]mobi

static[.]17[.]249[.]201[.]195[.]clients[.]your-server[.]de

static[.]21[.]101[.]69[.]159[.]clients[.]your-server[.]de

sxkwor[.]space

thimbleprojects[.]org/dedzsumkoi/

vbtrst[.]info

vbtrst[.]pro

docs[.]google[.]com/document/d/108eUwuO14F7_kNOFu_AwtJEz_8yNJ0aBPBWA8jVOVOc

docs[.]google[.]com/document/d/16-GlQzXBPqo2x3iI940f9YP0KvkrzUZe3BziW3VpqKw

docs[.]google[.]com/document/d/179LQ5l6sfsD26tZJSdy-KDdGnFo2xEmbPCUV7F-F_Po

docs[.]google[.]com/document/d/190Ksr2Wv9i2QjJeElcE9VVzEje-ia5k0BQVl5jOx6vE

docs[.]google[.]com/document/d/1ablKrM6fncizaXjRNiy7Hh173FGN6Qh-97ejLNjLNoc

docs[.]google[.]com/document/d/1BcCNV9lrYY3VCKCP6aNPoXkvUbWkMHT2nOSvo0J1xaI

docs[.]google[.]com/document/d/1bY0rh0bTdvn1w_YNBfGyyOjf3CXczH2BshO2e4jyLYI

docs[.]google[.]com/document/d/1cSOWCQz9BnNBLBy3p9elvtVO8j9M6eH3_GSL8M8hmpI

docs[.]google[.]com/document/d/1d1qp4cSYo6dJiTg71chmK8pgtp3mcN1eszOECq-uLLs

docs[.]google[.]com/document/d/1DNYWgm5TcL79V2nvUHKnLXKKSjIVajPCnBzsUfuSveo

docs[.]google[.]com/document/d/1dpzCp4KPCqcs-LQX1sXULqBvJvBPqs8kIUzouXbQVtw

docs[.]google[.]com/document/d/1DQX5_6t38AiByyWwRozVY1hRsEQ0VxVTFmi59Rf4tVk

docs[.]google[.]com/document/d/1eelW4H5sMw2tsvUKddRnAU9teLTysjD3hPx5Dr4dH2c

docs[.]google[.]com/document/d/1EH7mA3IiNKlz7davbT_qbX375abjZmpFqOQQm3waI7o

docs[.]google[.]com/document/d/1f-K3aUjt58OdlH5AY4T8El6SARljQNoF5rhebcjhEP0

docs[.]google[.]com/document/d/1Glqf2-XbQ9qQ-J06zgUkZyc3JTEscu3djJx-M0GznYI

docs[.]google[.]com/document/d/1go3VoTGpEc7jGn1QkiWQh_7HC7o1nGzL5OAmlH_oL-8

docs[.]google[.]com/document/d/1GuS41cKqL1xi0AUgHW93S90ZBoE7TxLWLjmcV6igj2c

docs[.]google[.]com/document/d/1hbeIiJemK0M27XoLgQMiRG5WeHp8kD19Eu401r6mnDE

docs[.]google[.]com/document/d/1hyw6Osx5dKcZPIeK0FtsuaiaGe1b3JiWyItRKPyScJg

docs[.]google[.]com/document/d/1IRnMq34rgmuTXGHMxx-zCzf_R7Oyv1HGRHtYWbBvYbc

docs[.]google[.]com/document/d/1IvWmw3KhLFN-SiF_j4hAVbfo-TLlXHiIzvvtAiwLTuw

docs[.]google[.]com/document/d/1jDswnvQuqVtPBfFRGF0QsiPwPhJpx7gnvYBWwx0-cDE

docs[.]google[.]com/document/d/1JjTlBHBgMMV7UWE6gGS-0DiJxR4lZ25Y7BI72yWTNF4

docs[.]google[.]com/document/d/1LpTCbki4DKgeyVWooTxjeLoa_vmiRyoEsWwkGlKWxmY

docs[.]google[.]com/document/d/1mMn7M-rf9l7yWnm0rwlcQUVhge5Dkqyqg71sZ29ge-c

docs[.]google[.]com/document/d/1mWVmMnRoznPas84up5xmOj6KFjtg1dfKMpbkxjeEd1o

docs[.]google[.]com/document/d/1N4gRKup-pzDnvQesFv2074XeQTeq0nng95gahkhmywI

docs[.]google[.]com/document/d/1nBREtyYtfwPZf0GbKbAqcHrFCE8SD0qyVBCtX2elt8U

docs[.]google[.]com/document/d/1O5_sYBE1AgSw-12bYhHA4mtbhZDAG_OZtCVZRmD2xA8

docs[.]google[.]com/document/d/1oJ97BHW0Dtn8CkH1ExYiIwq21ojgY8x2TKDr7wtFON8

docs[.]google[.]com/document/d/1OpfECPCt1GRv2AYq9nD_NXIqB6CsoUsx4ol024DHCSE

docs[.]google[.]com/document/d/1p3rvvJ8E_A9FAHjdNLDiSzi9cB5xDr4R97ePiK_u9To

docs[.]google[.]com/document/d/1RVAJU149Gp2X6pnzWDyypezzN_7liUvuXk21ThR0Tyc

docs[.]google[.]com/document/d/1RYLYetWuQIADc5GsKE5O_U_G62SuNX120PEyB8tQ5Y0

docs[.]google[.]com/document/d/1SG7ojLMmWPpF4XKXmHJkDqY16fBveB6ElOTtjnqwAHY

docs[.]google[.]com/document/d/1SM-PlruT6jQUwBkJmJAEOVem7Blkemw3XDOaQ2_vHlk

docs[.]google[.]com/document/d/1x3PGsJH9LbeumQA4uR5V4xqXY1ftPjEc7v92vY66_Qc

docs[.]google[.]com/document/d/1-xEX1azHPC27q6L6wH6ea2wArRcKRmmaodQEm2hlfuE

docs[.]google[.]com/document/d/1z-UjNJqU3cmSpVvhJXPNpVCd3tvLFNeYvjlkbn0nFxk

Sign up for our weekly FortiGuard Threat Brief. Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio.