Unit 42 recently observed a 9002 Trojan delivered using a combination of shortened links and a shared file hosted on Google Drive. The delivery method also uses an actor-controlled server hosting a custom redirection script to track successful clicks by targeted email addresses.
The infrastructure associated with this 9002 Trojan sample was also found to have previous ties to attacks on Myanmar and other Asian countries that used Poison Ivy as the payload, including a recent, and possibly ongoing campaign against Taiwan.
Short but sweet…
While we do not have specific telemetry on the attack at this time, we believe the attack relies on a shortened link (in this case using the URL shortening service TinyURL) to deliver the 9002 payload. The shortened URL is as follows:
This shortened link redirects to an actor-controlled server that we refer to as a redirection server, as it hosts a script responsible for redirecting the browser to another location. The shortened link above points to:
The URL above contains base64 encoded data, which we believe will then be decoded by the server. The base64 encoded parameter in the URL redirect decodes to:
The Gmail address in the decoded data is the legitimate address of a well-known politician and human rights activist in Myanmar. The shortened URL within the decoded data, specifically ‘hxxp://tinyurl[.]com/jfj9ouv’ again redirects to:
The use of Google Drive to host malicious files is not a new tactic in attacks. However, using a well-known hosting platform may allow the downloading of a payload to blend into other legitimate traffic from the hosting provider. The actors still use spear phishing as their primary attack method, but because that technique has been so well publicized, intended victims are perhaps more cautious about opening suspicious email attachments or links.
As spear phishing becomes less successful, threat actors need to continue to adapt and find new methods to successfully deliver malware. The use of a URL shortening service and a redirection server further aids the chances of a successful attack, as it becomes more challenging to determine the validity of the link within an email due to the way link shorteners obfuscate link content.
The files used in these attacks are properly classified as malware by WildFire. AutoFocus customers can find out more about both 9002 and Poison Ivy via the respective malware family tags.
Article by Robert Falcone and Jen Miller Osbor, Palo Alto Networks