Cyber Attack Delivers 9002 Trojan Using Google Drive

Hackers are using the Google Drive for hosting of malicious files as malware campaign part to target various Asian countries that includes Taiwan and Myanmar. Mixture of shorten links and Google Drive hosted shared file are used by cybercrooks for delivering 9002 trojan, which is a cyber-espionage danger. This Trojan contains the well-known Poison Ivy RAT (Remote Access Trojan) as payload, researchers warned.

Spear phishing is still used as the method for primary attack by the hackers who are responsible for 9002 trojan. Using a service related to URL shortening and the redirection server additionally increases the chances of an effective attack due to the way link content gets obfuscated by link shorteners.

The shortened link diverts to the actor-controlled server, which we also called as redirection server, as the victim gets redirected to the gmail address of a 'popular politician and activist of human rights in Myanmar'.

From that point, the victim is redirected towards a Google Drive hosted Zip file bearing "2nd Myanmar Industrial Human Resource Development Symposium.zip" as the filename.

The zip file consists of an executable, which is disguised as an icon of PowerPoint. The decoy presentation of PowerPoint contains information regarding a Myanmar conference of 30th July, with a title namely "Role of JMVTI Aung San and Building of Clean and Safe Automobile Society", which made this Trojan look so believable.

The researchers say that 9002 Trojan communicates with the domain, which acts as the command and control (C2) server, connected to samples of Poison Ivy that are used for the attacks on Myanmar as well as other countries of Asia, as revealed by the Arbor Networks in the early part of this year.

As the spear phishing turns out to be less successful, the threat actors should carry on to adapt and found new ways to deliver malware successfully, they warned. "The use of a URL shortening service and a redirection server further aids the prospect of a fruitful attack, as it becomes more challenging to determine the validity of the link within an email due to the way link shorteners obfuscate link content".

» SPAMfighter News - 8/3/2016