Banking Trojan Drive-by Download Leverages Trust in Google Sites

Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle. The attacker first developed a website using Google Sites. He then used the File Cabinet option to upload and store the malware, and distributed the resulting URL to potential victims. The process, discovered by Netskope, relies heavily on users' tendency to trust the Google name, together with an apparent failure by Google to block malicious uploads to the File Cabinet. Within the Cabinet is a RAR archive titled 'Reserva_Manoel_pdf.rar'; and within that is a malicious executable titled 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe'. The latter translates from Portuguese to 'PDF Reservations Details MANOEL CARVALHO guest house details'. Although Google search does not disclose such a guest house, there is a Manoel Carvalho who plays football for the Brazilian Corinthians team on loan from Cruzeiro -- and the attackers are likely relying on natural curiosity, especially the Brazilian love of football, to tempt visitors into downloading the malware.