All the latest UK technology news, reviews and analysis

Google Docs hijacked by Trojan.APT.Seinup malware

19 Jun 2013
Google Logo

A cyber attack that uses Google Docs to avoid detection in order to steal information has been spotted in the wild.

Security firm FireEye reported uncovering the campaign, warning that the crooks are using advanced malware to mount a targeted spear phishing campaign designed to steal corporate and personal data from a variety of victims.

FireEye researcher Chong Rong Hwa wrote: "The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN [Association of Southeast Asian Nations]. Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy.

"This malware was found to have used a number of advanced techniques, which makes it interesting. The malware leverages Google Docs to perform redirection to evade callback detection."

Chong highlighted the use of Google Docs as particularly troublesome as it offers the malware increased protection against traditional security tools, but confirmed that there are ways to address the problem. "By connecting the malicious server via Google Docs, the malicious communication is protected by the legitimate SSL provided by Google Docs," he wrote.

"One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organisation. Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organisation's incident response team may want to dig deeper to find out if the traffic is triggered by a human or by malware."

Outside of its use of Google Docs, the phishing document is confirmed to target the CVE-2012-0158 vulnerability and use a malware dropper named exp1ore.exe. The dropper is particularly dangerous as it allows the malware to falsely register itself as a Windows Service on infected machines, meaning it can survive a system reboot and network persist.

The malware is troublesome as it grants the criminals a variety of powers over the infected machine. "This malware is named Trojan.APT.Seinup because one of its export functions is named ‘seinup'. This malware was analysed to be a backdoor that allows the attacker to remote control the infected system," wrote Chong.

The FireEye researcher listed the campaign as proof criminals are developing new more sophisticated ways to target businesses, and called for companies to update their current defence strategies to deal with the evolved threat.

"Malware is increasingly becoming more contextually advanced. It attempts to appear as much as possible like legitimate software or documents. In this example, we would conclude the following. A potentially stolen document was used as a decoy document to increase its credibility. It is also a sign that the compromised organisations could be used as a soft target to compromise their business partners and allies," he wrote.

"It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase. Once a network is compromised, it is increasingly harder to detect such threats. Anti-incident response and forensic techniques are increasingly used to evade detection. It would require a keen eye on details and a wealth of experience to identify all these advanced techniques."

FireEye is one of many companies to urge firms to drop their outdated perimeter-based defences. Most recently Finnish security firm F-Secure released its contextually aware DeepGuard 5 analysis tool to help businesses spot attacks on their systems.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus

Samsung Galaxy S5 video review

We break down the key strengths and weaknesses of Samsung's latest Android flagship

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Junior IT Desktop Support Analyst

The Role: This is a fantastic opportunity to...

Oracle Developer - 11g, Weblogic, Toad, J2EE

Key Skills Extensive knowledge and experience of Oracle...

Head of Technology

Job; Head of Technology – London This company is one...

Linux Systems Administrator - MYSQL, Perl, PHP - West Yorkshire

Linux Systems Administrator - MYSQL, Perl, PHP - West...
To send to more than one email address, simply separate each address with a comma.