Researchers at FireEye have spotted a malware campaign using Google Docs to redirect victims and evade callback detection mechanisms.
Connecting the malicious server via Google Docs, offers the malicious communication the protection provided by the legitimate SSL offered by Google, explained FireEye researcher Chong Rong Hwa.
“One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organization,” the researcher noted. “Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organization’s Incident Response team may want to dig deeper to find out if the traffic is triggered by a human or by malware.”
According to FireEye, the campaign uses on spear-phishing attacks targeting countries such as Laos, Singapore and Cambodia.
The document used in this attack exploits CVE-2012-0158, and creates a decoy document and a malware dropper named exp1ore.exe, blogged Chong Rong Hwa, a researcher at FireEye. This dropper will then drop wab.exe and wab32res.dll inside the temp folder. By running wab.exe, the malicious DLL will be loaded.
This will in turn install a copy of wab32res.dll as msnetrsvw.exe inside the Windows directory to be registered as a Windows service. By doing so, it allows the malware to survive reboot and persist on the network, according to the researcher.
The malware has been dubbed “Trojan.APT.Seinup” because one of its export functions is named “seinup”. If infected, the malware creates a backdoor on the system and gives the attacker remote control over the victim’s computer.
In addition, the malware is armed with a number of cryptographic functions to perform some of its functions securely. On the disk, the malicious code is either encrypted or compressed as a means to dodge scanning using signatures. Only upon being loaded into memory does the malicious code get manually loaded without the use of Windows 32 API, according to the researcher. This helps hide the malicious DLL in the event the malware is analyzed.
“It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase,” he blogged. “Once a network is compromised, it is increasingly harder to detect such threats.”