After previously exploiting Microsoft Excel for formula injection attacks, hackers have now turned their attention to Google Sheets for the same purpose. A new malware campaign has come to attention where hackers are spreading CSV malware via Google Sheets.
CSV Malware Spread Via Google Sheets
A researcher has spotted a potential malware campaign exploiting Google sheets. The hackers allegedly abuse the Google product to spread malware. What makes this campaign distinct is that it bypasses Google filters.
As revealed in his blog post, the researcher Marco Ramilli first spotted this campaign when he received a malicious email himself. Out of curiosity, he began scratching the surface and found an executable command in one of the cells.
“A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution.”
The researcher has identified the malware disseminated in this campaign as a NanoCore RAT variant.
While Microsoft Excel generates different warnings in case of such behavior, Google Sheets offers no such feature.
Users Should Remain Cautious
Google Drive and Gmail have implemented robust security features to filter out any malicious content. Because of these security features, Google services have gained trust among the users as being secured. With this malware campaign, the hackers seemingly try to exploit this trust as people will likely open Google sheets.
Unfortunately, Google Sheets have no specific filters to detect and remove malware. Moreover, it expresses no intention to even consider it as a bug. This is what Google replied to the Ramilli on his report.
“We’ve investigated your submission and made the decision not to track it as a security bug.”
On the other hand, the malware is robust enough to infect the victim’s device even if the user downloads the sheet and then open up the sheet locally via MS Excel. As confirmed by the researcher,
“An attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time, if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box.”
Therefore, the only way to stay protected from this malware attack, for now, remains to be careful while clicking on links and opening emails from untrusted sources.