Cyber Attack Uses Google Drive To Deliver 9002 Trojan

trojan

Hackers use Google Drive to host malicious files that seems to be targeting a number of Asian countries

Google Drive is being used by hackers to host malicious files as part of a malware campaign targeting a number of Asian countries including Myanmar and Taiwan.

This is the warning from Unit 42 researchers at Palo Alto Networks in a blog post, in which they said the 9002 Trojan is delivered onto a victim’s computer via a combination of shortened URL links and a shared file hosted on Google’s cloud storage service.

Poison Ivy RAT

According to the researchers, the attackers make use of a server that hosts a custom redirection script to track successful clicks by targeted email addresses. This 9002 Trojan carries the infamous Poison Ivy remote access Trojan (RAT) as its payload, the researchers warned.

“While we do not have specific telemetry on the attack at this time, we believe the attack relies on a shortened link (in this case using the URL shortening service TinyURL) to deliver the 9002 payload,” the researchers wrote.

“This shortened link redirects to an actor-controlled server that we refer to as a redirection server, which redirects the victim to a gmail address belonging to a ‘well-known politician and human rights activist in Myanmar’.”

From there the victim is redirected to a Zip file hosted on Google Drive, bearing the filename of “2nd Myanmar Industrial Human Resource Development Symposium.zip”.

googledrivelogoleadThis zip file contains an executable that is disguised as a PowerPoint icon. What makes this Trojan so believable is that the decoy PowerPoint presentation contains details of a conference in Myanmar to be held on 30 July, entitled “Role of JMVTI Aung San and Building of Clean and Safe Automobile Society”.

The researchers said that Japan Myanmar Vocational Training Institute (JMVTI) Aung San is a training centre established by the Asia Environmental Technology Promotion Institute under Myanmar’s Ministry of Science and Technology.

According to the researchers, the 9002 Trojan communicates with a domain that acts as its command and control (C2) server, associated with Poison Ivy samples used for attacks on Myanmar and other Asian countries as revealed earlier this year by Arbor Networks.

“While we do not have complete targeting information associated with these samples, several of the decoy files were in Chinese and appear to be part of a recent and possibly ongoing campaign targeting organisations in Taiwan,” said the researchers.

“The use of Google Drive to host malicious files is not a new tactic in attacks,” they wrote. “However, using a well-known hosting platform may allow the downloading of a payload to blend into other legitimate traffic from the hosting provider. The actors still use spear phishing as their primary attack method, but because that technique has been so well publicised, intended victims are perhaps more cautious about opening suspicious email attachments or links.”

“As spear phishing becomes less successful, threat actors need to continue to adapt and find new methods to successfully deliver malware,” they warned. “The use of a URL shortening service and a redirection server further aids the chances of a successful attack, as it becomes more challenging to determine the validity of the link within an email due to the way link shorteners obfuscate link content.”

Asian Threats

At the moment it seems this new threat is limited to Asia, a region that is facing a growing number of security issues of late.

Last year Kaspersky Lab warned of a hacker collective called Naikon that was actively targeting a number of countries in the South China Sea area.

That hacker group had apparently infiltrated a number of government, civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Thailand, Laos, China and Nepal.

Are you a security expert? Try our quiz!