New malware targeting Windows 8 appears to be using Google Docs as a proxy server instead of directly connecting to a command and control (C&C) server. According to research done by Symantec and discussed in the company’s Security Response blog late last week, a Trojan, Backdoor.Makadocs, targets Windows 8 – along with Windows Server 2012 – yet doesn’t use any of the software’s particular functions as an exploit vector.
Instead the malware leverages one of Google Docs’ features, Viewer, which attackers are using to retrieve the resources of another URL and display it. Backdoor.Makadocs uses Viewer to access its C&C server and relies on Google Docs’ encrypted HTTPS to help thwart users from blocking the connection.
Takashi Katsuki, a software engineer at Symantec, writes that in its current incarnation, the malware could essentially be blocked by Google by implementing a firewall. Google meanwhile, claims it will “investigate and take action when we become aware of abuse.” A statement from the company insists that “using any Google product to conduct this kind of activity is a violation of our product policies.”
Katsuki’s blog goes on to note that given the following code, Backdoor.Makadocs appears to be primarily targeting Brazilians:
By disguising itself as a Rich Text Format or Word document, the malware tricks users into clicking and opening the file, before it connects to its C&C server.
While Windows 8 may be in its infancy, its relative newness has made it a prime target for attackers. Researchers at the French security firm VUPEN claimed they had developed a zero-day exploit for the software by Halloween while Microsoft went on to patch 19 vulnerabilities in the software earlier this month.