Trojan Uses Google Docs to Communicate with Attackers

Trojan Uses Google Docs to Communicate with Attackers

November 21, 2012
By Anish Patil
The Dell SonicWALL Threats Research Team received reports that a new Trojan variant is using Google Docs to hide while it infiltrates a victim's system. Although Google Docs have been used for phishing attacks in the past, this new Trojan takes advantage of a Google Docs viewer that loads and displays files via URLs. The Trojan uses this “viewer” service as a proxy to communicate with the command and control (C&C) servers to cloak the communication between itself and the C&C servers. Since Google Docs encrypts all communication, it makes it difficult for network security solutions and analysts to identify the type of information being exchanged. And because the Trojan's traffic is coming from Google Docs, it sneaks through some defenses without detection.
Identified as a Backdoor.Makadocs variant, the Trojan disguises itself as a Microsoft Word document icon within the Google Docs viewer and transfers information, such as the infected computer's host name and operating system, to attackers.^[1]
But the damage doesn't stop there—as the name implies, this Trojan opens a backdoor so thieves can send more commands to steal sensitive information. So far, the Trojan seems to focus on Brazilian users, and uses social engineering techniques to infect the machine.^[2]
Backdoor.Makadocs's use of Google Docs' viewer feature is a violation of Google's policies, but that is unlikely to stop cybercriminals.
If you're a Dell SonicWALL with a valid subscription, Gateway AntiVirus provides protection against this threat through the following signature:

• GAV: Makadocs (Trojan)

Learn more:

• Get more details about this Trojan variant from the Dell SonicWALL Threat Research Team
• See other SonicAlerts: View a complete history of all SonicAlert research

-----------------------------------
[1] Trojan Uses Google Docs to Communicate with its Control Server. The H Security, Heise Media UK. November 17, 2012. http://www.h-online.com/security/news/item/Trojan-uses-Google-Docs-to-communicate-with-its-control-server-1752343.html
[2] Kirkland, Marquisa. Backdoor Trojan Uses Google Docs to Connect to C&C Servers. Hyphenet. November 21, 2012. http://www.hyphenet.com/blog/2012/11/21/backdoor-trojan-uses-google-docs-to-connect-to-cc-servers/