Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Docs Abused to Protect Malicious Traffic

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

“One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organization,” the researcher noted. “Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organization’s Incident Response team may want to dig deeper to find out if the traffic is triggered by a human or by malware.”

According to FireEye, the campaign uses on spear-phishing attacks targeting countries such as Laos, Singapore and Cambodia.

The document used in this attack exploits CVE-2012-0158, and creates a decoy document and a malware dropper named exp1ore.exe, blogged Chong Rong Hwa, a researcher at FireEye. This dropper will then drop wab.exe and wab32res.dll inside the temp folder. By running wab.exe, the malicious DLL will be loaded.

This will in turn install a copy of wab32res.dll as msnetrsvw.exe inside the Windows directory to be registered as a Windows service. By doing so, it allows the malware to survive reboot and persist on the network, according to the researcher.

The malware has been dubbed “Trojan.APT.Seinup” because one of its export functions is named “seinup”. If infected, the malware creates a backdoor on the system and gives the attacker remote control over the victim’s computer.

In addition, the malware is armed with a number of cryptographic functions to perform some of its functions securely. On the disk, the malicious code is either encrypted or compressed as a means to dodge scanning using signatures. Only upon being loaded into memory does the malicious code get manually loaded without the use of Windows 32 API, according to the researcher. This helps hide the malicious DLL in the event the malware is analyzed.

“It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase,” he blogged. “Once a network is compromised, it is increasingly harder to detect such threats.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.