Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Docs Abused to Protect Malicious Traffic

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

“One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organization,” the researcher noted. “Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organization’s Incident Response team may want to dig deeper to find out if the traffic is triggered by a human or by malware.”

According to FireEye, the campaign uses on spear-phishing attacks targeting countries such as Laos, Singapore and Cambodia.

The document used in this attack exploits CVE-2012-0158, and creates a decoy document and a malware dropper named exp1ore.exe, blogged Chong Rong Hwa, a researcher at FireEye. This dropper will then drop wab.exe and wab32res.dll inside the temp folder. By running wab.exe, the malicious DLL will be loaded.

This will in turn install a copy of wab32res.dll as msnetrsvw.exe inside the Windows directory to be registered as a Windows service. By doing so, it allows the malware to survive reboot and persist on the network, according to the researcher.

Advertisement. Scroll to continue reading.

The malware has been dubbed “Trojan.APT.Seinup” because one of its export functions is named “seinup”. If infected, the malware creates a backdoor on the system and gives the attacker remote control over the victim’s computer.

In addition, the malware is armed with a number of cryptographic functions to perform some of its functions securely. On the disk, the malicious code is either encrypted or compressed as a means to dodge scanning using signatures. Only upon being loaded into memory does the malicious code get manually loaded without the use of Windows 32 API, according to the researcher. This helps hide the malicious DLL in the event the malware is analyzed.

“It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase,” he blogged. “Once a network is compromised, it is increasingly harder to detect such threats.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.