Drigo spyware exploits Google Drive in targeted attacks

Security experts at TrendMicro have discovered a cyber espionage campaign which used a malware dubbed Drigo to syphon data through Google Drive.

Security experts at TrendMicro have uncovered a new wave of targeted attacks which were stolen information through Google Drive. The researcher detected a new strain of data stealer malware, dubbed Drigo, that is apparently used in hacking campaigns targeting government agencies worldwide. The malware is able to syphon user’s files from the infected machine and sent it to Google Drive.

Drigo is able to steal common files including Excel, Word, PDF, text and PowerPoint files, including data in the Recycle Bin and User Documents folder, and upload them to Google Drive. The exploitation of cloud-based sharing sites is becoming even more frequent in the cybercrime ecosystem, in the last months security experts detected RAT served through these powerful platforms and phishing campaigns that benefited of SSL channels they ordinarily use.

The techniques spotted by the investigators are designed to  evade security vendors and researcher and in many cases are very sophisticated.

Drigo, in order to transfer the syphoned files to the Google Drive service includes in its source code the client_id, the client_secret and a refresh token (used for authentication process based on the OAuth 2.0 protocol).

“Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website,” states Trend Micro threats analyst Kervin Alintanahin in a blog post. “Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens. We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.”

The investigation allowed the experts to discover targeted attacks against government agencies, they speculate that Drigo malware has been designed for reconnaissance purposes.


“After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” noted Alintanahin.

Another interesting discovery made by the experts is the use of the Go open source programming language, also known as golang, that was initially developed by Google.

“While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.” states the blog post.

TrendMicro has already alerted Google of the malicious activities related to the Google Drive account used by the bad actors, but as explained by the experts in the post, if the Drigo malware is able to update the configuration file, it’s possible that the attackers will use many other Google Drive accounts to continue their campaigns.

Pierluigi Paganini

October 24, 2014

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...