After investigating a newer malicious XLS document presumably targeted at a Chinese national, I noticed some oddly familiar network traffic produced by the backdoor it dropped. It was very clearly a variant of the 9002 RAT based on its command and control traffic. The 9002 RAT first achieved notoriety back in 2009 in relation to the Operation Aurora attacks but also more recently last year in FireEye’s blog posts about the Sunshop Campaign.
However, the RAT itself is relatively uninteresting and beyond basic backdoor capabilities essentially serves as a platform to download and execute additional DLL’s. The part that first struck me this time was the persistence method
more here............http://blog.cylance.com/another-9002-trojan-variant
However, the RAT itself is relatively uninteresting and beyond basic backdoor capabilities essentially serves as a platform to download and execute additional DLL’s. The part that first struck me this time was the persistence method
more here............http://blog.cylance.com/another-9002-trojan-variant