All the latest UK technology news, reviews and analysis

Google Docs hijacked by Trojan.APT.Seinup malware

19 Jun 2013
Google Logo

A cyber attack that uses Google Docs to avoid detection in order to steal information has been spotted in the wild.

Security firm FireEye reported uncovering the campaign, warning that the crooks are using advanced malware to mount a targeted spear phishing campaign designed to steal corporate and personal data from a variety of victims.

FireEye researcher Chong Rong Hwa wrote: "The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN [Association of Southeast Asian Nations]. Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy.

"This malware was found to have used a number of advanced techniques, which makes it interesting. The malware leverages Google Docs to perform redirection to evade callback detection."

Chong highlighted the use of Google Docs as particularly troublesome as it offers the malware increased protection against traditional security tools, but confirmed that there are ways to address the problem. "By connecting the malicious server via Google Docs, the malicious communication is protected by the legitimate SSL provided by Google Docs," he wrote.

"One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organisation. Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organisation's incident response team may want to dig deeper to find out if the traffic is triggered by a human or by malware."

Outside of its use of Google Docs, the phishing document is confirmed to target the CVE-2012-0158 vulnerability and use a malware dropper named exp1ore.exe. The dropper is particularly dangerous as it allows the malware to falsely register itself as a Windows Service on infected machines, meaning it can survive a system reboot and network persist.

The malware is troublesome as it grants the criminals a variety of powers over the infected machine. "This malware is named Trojan.APT.Seinup because one of its export functions is named ‘seinup'. This malware was analysed to be a backdoor that allows the attacker to remote control the infected system," wrote Chong.

The FireEye researcher listed the campaign as proof criminals are developing new more sophisticated ways to target businesses, and called for companies to update their current defence strategies to deal with the evolved threat.

"Malware is increasingly becoming more contextually advanced. It attempts to appear as much as possible like legitimate software or documents. In this example, we would conclude the following. A potentially stolen document was used as a decoy document to increase its credibility. It is also a sign that the compromised organisations could be used as a soft target to compromise their business partners and allies," he wrote.

"It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase. Once a network is compromised, it is increasingly harder to detect such threats. Anti-incident response and forensic techniques are increasingly used to evade detection. It would require a keen eye on details and a wealth of experience to identify all these advanced techniques."

FireEye is one of many companies to urge firms to drop their outdated perimeter-based defences. Most recently Finnish security firm F-Secure released its contextually aware DeepGuard 5 analysis tool to help businesses spot attacks on their systems.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Related jobs

Devices at work poll

Which device do you use most for work?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Dynamics CRM Developer (C#, Scribe, CRM Dynamics 2011)

Dynamics CRM Developer (C#, Scribe, CRM Dynamics 2011...

Digital Designer - UX Consultant - Oxford - £35k

Digital Designer - UX Consultant – Client Facing / Web...

Technical/Product Configuration Consultant .net SQL

Technical/Product Configuration Consultant .net SQL...

Inside Sales Executive/ SW Sales Support

Inside Sales Executive/Sw Sales Support Executive...
To send to more than one email address, simply separate each address with a comma.