A new malicious software used by cybercriminals in a targeted attack attempts to gather information about the victim and upload the data to Google Drive.
The so-called Drigo is a Trojan type and starts searching for a specific set of files in some places on the hard disk. It then sends the data to be stored in Google Drive.
Attackers are selective in the file formats they are looking for, and restrict their research to XLSX, XLS, DOC, DOCX, PDF, TXT, PPT, and PPTX files that exist in places such as the Recycle Bin and Docs as well as other directories .
After analyzing malicious software, Trend Micro researcher Kervin Alintanahin discovered that the scammers behind it use the OAuth protocol for authentication. For this purpose, they encode the CLIENT_ID and client_secret sessions, along with a refresh of the token, in order not to expire the OAuth token.
According to the researcher, the documents sent to the Google cloud revealed the names of the targets, and most of them were government agencies.
From the name of a document, it appears that the victims are in China. Alintanahin said files from the infringing computers were still visible in the attacker's online store.
Based on the observations during the investigation, it appears that malware is only capable of uploading documents to Google Drive.