Story image

Attack delivers '9002' trojan through google drive

29 Jul 16

Unit 42 recently observed a 9002 Trojan delivered using a combination of shortened links and a shared file hosted on Google Drive. The delivery method also uses an actor-controlled server hosting a custom redirection script to track successful clicks by targeted email addresses.

The infrastructure associated with this 9002 Trojan sample was also found to have previous ties to attacks on Myanmar and other Asian countries that used Poison Ivy as the payload, including a recent, and possibly ongoing campaign against Taiwan.

Short but sweet…

While we do not have specific telemetry on the attack at this time, we believe the attack relies on a shortened link (in this case using the URL shortening service TinyURL) to deliver the 9002 payload. The shortened URL is as follows:

hxxp://tinyurl[.]com/zmu4dry

This shortened link redirects to an actor-controlled server that we refer to as a redirection server, as it hosts a script responsible for redirecting the browser to another location. The shortened link above points to:

hxxp://222.239.91[.]152?<redacted>QGdtYWlsLmNvbWh0dHA6Ly90aW55dXJsLmNvbS9qZmo5b3V2

The URL above contains base64 encoded data, which we believe will then be decoded by the server. The base64 encoded parameter in the URL redirect decodes to:

<redacted>@gmail.comhttp://tinyurl[.]com/jfj9ouv

The Gmail address in the decoded data is the legitimate address of a well-known politician and human rights activist in Myanmar. The shortened URL within the decoded data, specifically ‘hxxp://tinyurl[.]com/jfj9ouv’ again redirects to:

hxxps://drive.google[.]com/uc?id=0B0eVt8dSXzFuN2ltVlVkVl8zNVU&authuser=0&export=download

Conclusion

The use of Google Drive to host malicious files is not a new tactic in attacks. However, using a well-known hosting platform may allow the downloading of a payload to blend into other legitimate traffic from the hosting provider. The actors still use spear phishing as their primary attack method, but because that technique has been so well publicized, intended victims are perhaps more cautious about opening suspicious email attachments or links. 

As spear phishing becomes less successful, threat actors need to continue to adapt and find new methods to successfully deliver malware. The use of a URL shortening service and a redirection server further aids the chances of a successful attack, as it becomes more challenging to determine the validity of the link within an email due to the way link shorteners obfuscate link content.

The files used in these attacks are properly classified as malware by WildFire. AutoFocus customers can find out more about both 9002 and Poison Ivy via the respective malware family tags.

Article by Robert Falcone and Jen Miller Osbor, Palo Alto Networks

SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.
What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.