Google Docs hijacked by Trojan.APT.Seinup malware

A cyber attack that uses Google Docs to avoid detection in order to steal information has been spotted in the wild.

Security firm FireEye reported uncovering the campaign, warning that the crooks are using advanced malware to mount a targeted spear phishing campaign designed to steal corporate and personal data from a variety of victims.
FireEye researcher Chong Rong Hwa wrote: "The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN [Association of Southeast Asian Nations].

Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy.

"This malware was found to have used a number of advanced techniques, which makes it interesting. The malware leverages Google Docs to perform redirection to evade callback detection."

Chong highlighted the use of Google Docs as particularly troublesome as it offers the malware increased protection against traditional security tools, but confirmed that there are ways to address the problem. "By connecting the malicious server via Google Docs, the malicious communication is protected by the legitimate SSL provided by Google Docs," he wrote.

"One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organisation. Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organisation's incident response team may want to dig deeper to find out if the traffic is triggered by a human or by malware."

Outside of its use of Google Docs, the phishing document is confirmed to target the CVE-2012-0158 vulnerability and use a malware dropper named exp1ore.exe. The dropper is particularly dangerous as it allows the malware to falsely register itself as a Windows Service on infected machines, meaning it can survive a system reboot and network persist.

The malware is troublesome as it grants the criminals a variety of powers over the infected machine. "This malware is named Trojan.APT.Seinup because one of its export functions is named ‘seinup'. This malware was analysed to be a backdoor that allows the attacker to remote control the infected system," wrote Chong.

The FireEye researcher listed the campaign as proof criminals are developing new more sophisticated ways to target businesses, and called for companies to update their current defence strategies to deal with the evolved threat.
"Malware is increasingly becoming more contextually advanced. It attempts to appear as much as possible like legitimate software or documents. In this example, we would conclude the following.

A potentially stolen document was used as a decoy document to increase its credibility. It is also a sign that the compromised organisations could be used as a soft target to compromise their business partners and allies," he wrote.
"It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase. Once a network is compromised, it is increasingly harder to detect such threats.

Anti-incident response and forensic techniques are increasingly used to evade detection. It would require a keen eye on details and a wealth of experience to identify all these advanced techniques."

FireEye is one of many companies to urge firms to drop their outdated perimeter-based defences. Most recently Finnish security firm F-Secure released its contextually aware DeepGuard 5 analysis tool to help businesses spot attacks on their systems.