Trojan uses Google Docs to cloak its communication with servers (November 21, 2012)

Dell SonicWALL Threats Research team received reports of a new malware threat that uses a novel trick to try and hide its operation. This Trojan communicates with the C&C servers using Google Docs as a proxy. Since Google Docs encrypts all of its communication, it helps the Trojan cloak the C&C server communication and improve the chances of evading antivirus detection.

The malicious executable disguises itself in a Microsoft Word document icon and entices the user to click and execute it.

Infection Cycle

The Trojan begins by creating a mutex named “G46A33F21110”. This ensures that at a given time only one instance of the Trojan is running on the machine.

The Trojan then executes the following commands:

• Net.exe group Domain Admins /domain
• Net.exe group Admins. do Domfnio /domain
• Net.exe localgroup Administrators
• Net.exe localgroup Administradores

The Trojan communicates with the C&C servers using Google Docs service as a medium. We can see the malicious URL being converted into a Google Viewer link in the following two screenshots:

Using Google Viewer as a proxy, the Trojan tries to communicate with the following C&C servers:

• 83.222.226.158
• cdn.akamaihub.com
• msupdatecdn.com
• stocksengine.net

The Trojan sends information about the victim host through the following parameters:

• id ( Identification for the Trojan )
• bdversion ( Version number of the Trojan )
• guidx
• win_version ( Victims Windows version )
• win_baseversion ( Base build of Windows )
• username ( Current users account name )
• hostname ( Computer name )
• killed
• time_get
• time_ipchange
• time_cmd
• workdir ( Directory where the trojan is present )
• cmd_line ( Path to the command shell on the victim host)
• localadmin ( Local admin account name )
• domainadmin ( Domain admin account name )
• domain (Domain of the machine )

The following links were observed in the code of the Trojan. This gives an idea about the type of functionalities implemented for the Trojan:

• /syncstart.html – Provide information about the infected host
• /update.html – Update the Trojan with new set of commands and/or functionalities
• /updatecheck.html – Check if an update is necessary
• /updatestatus.htm – Check the status of the update

Google docs Viewer enables the users to view documents in the browser rather than saving and opening them in dedicated programs. The Trojan uses this service as a proxy to communicate with the C&C servers, in doing so it effectively cloaks the communication between itself and the C&C servers. The use of encrypted communication makes it difficult for network security solutions and analysts in identifying the type of information being exchanged. The fact that the Trojans traffic is coming from Google Docs helps it sneak through some defenses as legitimate traffic.

Dell SonicWALL Gateway AntiVirus provides protection against this threat through the following signature:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.