As reported by V3.co.uk, FireEye researchers have identified a spear phishing campaign that is connecting advanced malware to command and control (C&C) servers via the legitimate SSL provided by Google Docs, in order to steal corporate and personal data.
So far, the attack appears to be targeting victims in Southeast Asia, and one of the spear phishing documents intercepted by FireEye researchers is a legitimate document that was stolen and used as a decoy.
Once it breaches the network, the backdoor malware known as Trojan.APT.Seinup targets the CVE-2012-0158 vulnerability in Windows, and uses the dropper exp1ore.exe to allow cyber criminals to remotely control infected systems.
And if that weren’t chilling enough, there are apparently 4 factors that make this strain of advanced malware unusually deceptive and dangerous:
- It uses Google Docs to redirect and therefore avoid callback detection
- It uses numerous cryptographic functions to conduct some tasks securely
- It loads manually into memory and therefore remains hidden from DLL listing
- It falsely registers as a Windows Service and therefore can survive reboots
As for protecting themselves, FireEye researchers recommend that enterprises consider the following steps:
- Use a hardware SSL decrypter to examine all SSL traffic
- Examine usage patterns to possibly see if unusual traffic spikes are triggered by users or malware
- Evolve their outdated perimeter security-based malware defense systems
This last recommendation is part of a growing awareness that advanced malware like Trojan.APT.Seinup cannot be 100% prevented. As such, enterprises must shift their attention and resources towards detecting breaches early in the infection process, and stopping them before they embed themselves in the network and potentially persist for months – or even years – allowing sophisticated cyber criminals carry out their illicit economic, social or political agendas.
To learn more about protection from Advanced Persistent Threats, such as those using Google Docs to hack enterprises, join us on July 18, 2013 for an in-depth webinar: Why depending on malware prevention alone is no longer an option, register here.
The post Spear Phishing Campaign uses Google Docs to Hack Enterprises appeared first on Seculert Blog on Advanced Threats and Cyber Security.
