Cyber criminals have successfully delivered “9002” – a deadly Trojan using a innovative method that combines shortened links, a controlled server with a redirection script, and a shared file on Google Drive. The delivery starts with a spear-phishing attack. The malware is able to successfully track the clicks made in the email. The present attack by cyber criminals seem to be targeting organizations in Taiwan, and they have been successful in infecting many systems in Myanmar.
Cyber security experts observed that a shortened URL initially redirects to a server under control of the perpetrators. This server is a redirection server that hosts a redirection script that redirects the link to a Gmail ID. An important point to be noted is that this email is a legitimate ID of a prominent human rights activist in Myanmar. The link then redirects to a zip file on Google Drive. This zip file has an authentic name – “2nd Myanmar Industrial Human Resource Development Symposium.exe” and it displays as a PowerPoint icon. When this file is double-clicked it opens and displays authentic information about a conference that was held in Myanmar. The presentation was titled “Role of JMVTI Aung San and Building of Clean and Safe Automobile Society.” This is an actual vocational centre that is to be established.
The facts displayed are true events and this would convince even targets who are quite tech savvy. The 9002 Trojan drops a payload – the infamous Poison Ivy remote access Trojan (RAT) in disguise of an executable file and two “dll” files. This executable is legitimate, however, the hackers used it to side download a “dll” file. The side loaded “dll” tries to evade sandboxing in order to protect itself. The main dll file is then loaded and appropriate registry entries are created.
Exported functions are called from within the main dll and this causes the 9002 Trojan to get executed. This Trojan then initiates communication with its command-and-control (C2) server. It sends network beacons to the C2 server. The 9002 Trojan had many variants and the network beacons generated in this case are similar to the network beacons generated by ‘3102’ variant of the 9002 Trojan.
The cyber security analysts were able to track the IP addresses of the C2 server. Earlier, other cyber security specialists had found one of the domains linked to Poison Ivy attacks on Myanmar and other countries in Asia.
In this case, many other Poison Ivy samples were discovered, any many of the decoy files were in Chinese, suggesting that this was a well planned attack against organizations in Taiwan.
Many intended victims have become wary of spearphishing and hence do not open email attachments or click on links in suspicious emails. However, the innovative idea of inducing victims to click on safe-looking shortened URLs and then redirecting to other authentic websites where the Trojan subtly drops the malware is quite new and well planned.
Users generally have to be cautious and must not click on shortened URLs or open attachments in emails from doubtful, suspicious sources. Furthermore, they must protect their system and data with a robust antivirus solution that prevents execution of unknown files by using default-deny technology, auto-sandboxing, host intrusion prevention systems and real-time virus scanning.