Trojan Takes Over Google Docs

Thursday, June 20, 2013 @ 11:06 AM gHale


There is now a new type of attack available that uses Google Docs to avoid detection in order to steal information.

Attackers are using advanced malware to mount a targeted spear phishing campaign designed to steal corporate and personal data from victims, said researchers at security firm FireEye.

RELATED STORIES
Trojan Uses Fake Adobe Certificate
Botnet Hurt, so are Researchers
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached

“The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN [Association of Southeast Asian Nations],” said FireEye researcher Chong Rong Hwa. “Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy.”

“This malware was found to have used a number of advanced techniques, which makes it interesting. The malware leverages Google Docs to perform redirection to evade callback detection,” Hwa said.

Hwa said using Google Docs is a problem as it offers the malware increased protection against traditional security tools. He did add, though, there are ways to address the problem.

“By connecting the malicious server via Google Docs, the malicious communication is protected by the legitimate SSL provided by Google Docs,” he said.

“One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organization. Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organization’s incident response team may want to dig deeper to find out if the traffic is triggered by a human or by malware,” he said.

Outside of its use of Google Docs, the phishing document targets the CVE-2012-0158 vulnerability and use a malware dropper named exp1ore.exe. The dropper allows the malware to falsely register itself as a Windows Service on infected machines, meaning it can survive a system reboot and network persist.

The malware is troublesome as it grants the criminals a variety of powers over the infected machine. “This malware is named Trojan.APT.Seinup because one of its export functions is named ‘seinup’. This malware was analyzed to be a backdoor that allows the attacker to remote control the infected system,” Hwa said.

He listed the campaign as proof criminals are developing new more sophisticated ways to target businesses, and called for companies to update their current defense strategies to deal with the evolved threat.

“Malware is increasingly becoming more contextually advanced,” he said. “It attempts to appear as much as possible like legitimate software or documents. In this example, we would conclude the following. A potentially stolen document was used as a decoy document to increase its credibility. It is also a sign that the compromised organizations could be used as a soft target to compromise their business partners and allies.”

“It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase,” Hwa said. “Once a network is compromised, it is increasingly harder to detect such threats. Anti-incident response and forensic techniques are increasingly used to evade detection. It would require a keen eye on details and a wealth of experience to identify all these advanced techniques.”



Leave a Reply

You must be logged in to post a comment.