Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Docs Abused to Protect Malicious Traffic

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.

Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.

“One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organization,” the researcher noted. “Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organization’s Incident Response team may want to dig deeper to find out if the traffic is triggered by a human or by malware.”

According to FireEye, the campaign uses on spear-phishing attacks targeting countries such as Laos, Singapore and Cambodia.

The document used in this attack exploits CVE-2012-0158, and creates a decoy document and a malware dropper named exp1ore.exe, blogged Chong Rong Hwa, a researcher at FireEye. This dropper will then drop wab.exe and wab32res.dll inside the temp folder. By running wab.exe, the malicious DLL will be loaded.

This will in turn install a copy of wab32res.dll as msnetrsvw.exe inside the Windows directory to be registered as a Windows service. By doing so, it allows the malware to survive reboot and persist on the network, according to the researcher.

The malware has been dubbed “Trojan.APT.Seinup” because one of its export functions is named “seinup”. If infected, the malware creates a backdoor on the system and gives the attacker remote control over the victim’s computer.

In addition, the malware is armed with a number of cryptographic functions to perform some of its functions securely. On the disk, the malicious code is either encrypted or compressed as a means to dodge scanning using signatures. Only upon being loaded into memory does the malicious code get manually loaded without the use of Windows 32 API, according to the researcher. This helps hide the malicious DLL in the event the malware is analyzed.

Advertisement. Scroll to continue reading.

“It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase,” he blogged. “Once a network is compromised, it is increasingly harder to detect such threats.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights