{
	"id": "ec468553-2b78-47f5-a64d-cc8c05065ce7",
	"created_at": "2026-04-06T00:11:37.07685Z",
	"updated_at": "2026-04-10T13:11:19.236659Z",
	"deleted_at": null,
	"sha1_hash": "b5fe8c526f33bdea3d393b6a633923154895ef9b",
	"title": "Attack Delivers ‘9002’ Trojan Through Google Drive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 719749,
	"plain_text": "Attack Delivers ‘9002’ Trojan Through Google Drive\r\nBy Robert Falcone, Jen Miller-Osborn\r\nPublished: 2016-07-26 · Archived: 2026-04-05 14:16:15 UTC\r\nUnit 42 recently observed a 9002 Trojan delivered using a combination of shortened links and a shared file hosted\r\non Google Drive. The delivery method also uses an actor-controlled server hosting a custom redirection script to\r\ntrack successful clicks by targeted email addresses. The infrastructure associated with this 9002 Trojan sample\r\nwas also found to have previous ties to attacks on Myanmar and other Asian countries that used Poison Ivy as the\r\npayload, including a recent, and possibly ongoing campaign against Taiwan.\r\nShort but sweet…\r\nWhile we do not have specific telemetry on the attack at this time, we believe the attack relies on a shortened link\r\n(in this case using the URL shortening service TinyURL) to deliver the 9002 payload. The shortened URL is as\r\nfollows:\r\nhxxp://tinyurl[.]com/zmu4dry\r\nThis shortened link redirects to an actor-controlled server that we refer to as a redirection server, as it hosts a script\r\nresponsible for redirecting the browser to another location. The shortened link above points to:\r\nhxxp://222.239.91[.]152?\u003credacted\u003eQGdtYWlsLmNvbWh0dHA6Ly90aW55dXJsLmNvbS9qZmo5b3V2\r\nThe URL above contains base64 encoded data, which we believe will then be decoded by the server. The base64\r\nencoded parameter in the URL redirect decodes to:\r\n\u003credacted\u003e@gmail.comhttp://tinyurl[.]com/jfj9ouv\r\nThe Gmail address in the decoded data is the legitimate address of a well-known politician and human rights\r\nactivist in Myanmar. The shortened URL within the decoded data, specifically ‘hxxp://tinyurl[.]com/jfj9ouv’ again\r\nredirects to:\r\nhxxps://drive.google[.]com/uc?id=0B0eVt8dSXzFuN2ltVlVkVl8zNVU\u0026authuser=0\u0026export=download\r\nActor’s Redirection Server\r\nThe server with an IP address of ‘222.239.91[.]152’ appears to run a script that parses parameters from inbound\r\nHTTP requests. To better determine the script’s functionality, we issued a series of HTTP requests to the\r\nredirection server to figure out the purpose of the base64 encoded data within the URL and to determine the\r\nstrings that the script uses to redirect the browser.\r\nOur initial HTTP request, as seen in Figure 1, involved the URL pointed to by the initial shortened link associated\r\nwith this attack. As seen from the HTTP response, the script issued an HTTP 302 Moved Temporarily response to\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 1 of 9\n\nrelocate the browser to the URL in the “Location” field, which is the same URL from the decoded base64 data\r\nsent in the HTTP request.\r\n$ curl -i -A \"Mozzarella/4.0\" 222.239.91[.]152?\r\n\u003credacted\u003eQGdtYWlsLmNvbWh0dHA6Ly90aW55dXJsLmNvbS9qZmo5b3V2\r\nHTTP/1.1 302 Moved Temporarily\r\nConnection: close\r\nContent-Length: 0\r\nDate: Mon, 18 Jul 2016 16:25:28 GMT\r\nLocation: http://tinyurl[.]com/jfj9ouv\r\nFigure 1 Response to HTTP request to initial delivery URL\r\nThe second test HTTP request we issued used the base64 encoded data for the string\r\n“fake@gmail.comhttp://yahoo.com”, which as seen in Figure 2 would redirect the browser to “http://yahoo.com”\r\nvia an HTTP 302 response. This suggests that the email string is not used for any sort of authentication for the\r\ninbound request, and instead is possibly used by the threat actors to track successful clicks by a targeted email.\r\n$ curl -i -A \"Mozzarella/4.0\" http://222.239.91[.]152/?\r\nZmFrZUBnbWFpbC5jb21odHRwOi8veWFob28uY29t\r\nHTTP/1.1 302 Moved Temporarily\r\nConnection: close\r\nContent-Length: 0\r\nDate: Mon, 18 Jul 2016 17:10:33 GMT\r\nLocation: http://yahoo.com\r\nFigure 2 Test request confirming that the redirection server uses the base64 decoded data for redirection\r\nWe issued an HTTP request using the base64 encoded data for the string “fake@gmail.comyahoo.com”. Figure 3\r\nshows that the server responded with an HTTP 200 OK response that attempts to resemble an HTTP 403\r\nForbidden response, by writing “403 Forbidden” to the browser window. This error suggests that the redirection\r\nscript on the server parses the base64 decoded data for the string “http” to determine the redirection location.\r\n$ curl -i -A \"Mozzarella/4.0\" http://222.239.91[.]152/?ZmFrZUBnbWFpbC5jb215YWhvby5jb20\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 2 of 9\n\nHTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=ISO-8859-1\r\nContent-Length: 89\r\nDate: Mon, 18 Jul 2016 17:11:10 GMT\r\n\u003chtml\u003e\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\u003c/body\u003e\u003c/html\u003e\r\nFigure 3 Test request showing the redirection server requires \"http\" within the base64 decoded data\r\nWe ran subsequent test requests to find additional strings that the script would check for within the base64\r\ndecoded data, which it uses to determine the location it should redirect the browser. We found that the script also\r\nsupports redirection to URLs that begin with “https”. Also, the script is case sensitive, as requests for URLs with\r\n“HTTP” and “HTTPS” resulted in the same 403 Forbidden response seen in Figure 3. Lastly, we determined that\r\nthe script does not require the “://” characters after “http” and “https”.\r\nTrojan from the Cloud\r\nIn the delivery of this attack, the shortened link that the redirection server redirects to points to a Zip file hosted on\r\nGoogle Drive. The Zip file has a filename of “2nd Myanmar Industrial Human Resource Development\r\nSymposium.zip” (SHA256: c11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3) and\r\ncontains one executable that was added on July 13, 2016.\r\nThe executable within this Zip archive has a filename “2nd Myanmar Industrial Human Resource Development\r\nSymposium.exe” (SHA256: 49ac6a6c5449396b98a89709b0ad21d078af783ec8f1cd32c1c8b5ae71bec129). It is a\r\ndropper Trojan that saves a decoy and a payload to the system then opens both. The executable uses the\r\nPowerPoint icon, as seen in Figure 4 to trick the victim into launching the executable by making the user think the\r\nfile is a PowerPoint presentation.\r\nFigure 4 Payload has a PowerPoint icon to trick the victim into double clicking the executable\r\nThe decoy, seen in Figure 5, is a PowerPoint presentation that contains details of a conference in Myanmar held\r\non July 30, 2016, titled “Role of JMVTI Aung San and Building of Clean and Safe Automobile Society”. The\r\nJapan Myanmar Vocational Training Institute (JMVTI) Aung San is a forthcoming vocational training center\r\nestablished by the Asia Environmental Technology Promotion Institute under Myanmar's Ministry of Science and\r\nTechnology.\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 3 of 9\n\nFigure 5 Decoy document opened during the installation of the 9002 Trojan\r\nIn regards to the payload, the dropper creates a randomly named folder within the current user’s folder\r\n(%USERPROFILE%), which it uses to store the following files:\r\nRealNetwork.exe (SHA256: 10d40c51d85ea9ced6050b8951802aaebe81f7db13f42fe5a5589172af481a7e)\r\nmain.dll (SHA256: 53671fe98a0c8c85f6f8eabfa851e27b437f6c392b46e42ddea3f0a656591b12)\r\nmpaplugins\\MPAMedia.dll (SHA256:\r\nf76f639f2a7b8f39abf83737c6d3e533be66398c85ec95526e4b13561e15fbae)\r\nThe 'RealNetwork.exe' file is a legitimate executable signed to 'RealNetworks, Inc.' that loads\r\n'mpaplugins\\MPAMedia.dll' to call a function named 'BuildDeviceDatabase'. The threat actors however, leverage\r\nthe legitimate executable to sideload a DLL they created by saving the 'mpaplugins\\MPAMedia.dll' to the\r\nrandomly named folder created by the dropper.\r\nThe sideloaded 'MPAMedia.dll' DLL first checks to make sure the system time is greater than May 20, 2016 as a\r\nlikely attempt for sandbox evasion. It will then load the 'main.dll' file initially saved to the randomly named folder\r\ncreated by the dropper. The overall loading process of this Trojan can be seen in Figure 6.\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 4 of 9\n\nFigure 6 Overview of DLL sideloading process\r\nThe ‘MPAMedia.dll” DLL calls exported functions named \"stdInstall\" and \"CreateFunc\" from within ‘main.dll’.\r\nThe 'stdInstall' function is responsible for creating the following autorun registry key for persistence purposes:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\RealNetwork\r\nThe 'CreateFunc' exported function returns the offset within the 'main.dll' file to shellcode that contains 9002\r\nTrojan's actual functional code, which 'MPAMedia.dll' DLL will then create a thread to execute the Trojan. The\r\n9002 Trojan creates two mutexes during its execution: F16ME and widfasdf. It also creates the following registry\r\nkey that it uses to store the path to the user's folder (%USERPROFILE%):\r\nHKCU\\Software\\Microsoft\\F6\\uid\r\nThe Trojan uses the path stored in this registry key to locate its configuration, which it decrypts using a multiple-byte XOR algorithm and a key of “1pKFmjw”. Figure 7 shows a hexdump of the decrypted configuration for this\r\nsample of 9002.\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 5 of 9\n\nFigure 7 9002 Trojan's configuration\r\nUsing the configuration file above, the 9002 Trojan communicates with the following domain that acts as its\r\ncommand and control (C2) server:\r\nlogitechwkgame[.]com\r\nThe Trojan sends network beacons to its C2 server using two different methods. The first method, seen in Figure 8\r\nuses a custom protocol on TCP port 80 that begins with the string ‘9002’, which is the basis of the tool’s name. If\r\nthe C2 server responds, the Trojan will send system specific information along with the strings “jackhex” and\r\n“2016” from the configuration file. \"jackhex\" has also been seen in a C2 for what is likely related Poison Ivy\r\nactivity, discussed briefly later in this blog.\r\nFigure 8 Network beacon using custom 9002 protocol\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 6 of 9\n\nThe second beacon method also uses TCP port 80, but this method uses HTTP requests to communicate with its\r\nC2 server. Figure 9 shows a sample HTTP request issued by this Trojan, which has a user-agent of “lynx” and\r\nPOST data of “AA” that are both hardcoded into the payload.\r\nFigure 9 Network beacon from 9002 using HTTP request\r\nThe two beacons seen generated by this payload are very similar to those generated by the ‘3102’ variant of 9002\r\nthat we previously analyzed. The capabilities within this 9002 sample are very similar to the 3102 variant\r\ndiscussed, as its main functionality is to load plugins provided by the C2 server and call an exported function\r\nnamed “CreatePluginObj”.\r\nInfrastructure and Poison Ivy Ties\r\nThe C2 server ‘logitechwkgame[.]com’ resolves to the IP address '222.239.91[.]30', which also resolved to\r\n'admin.nslookupdns[.]com' at the same time as 'logitechwkgame[.]com', suggesting that these two domains are\r\nassociated with the same threat actors. 'admin.nslookupdns[.]com' was found to also be a C2 for Poison Ivy\r\nsamples associated with attacks on Myanmar and other Asian countries as discussed in a blog published by Arbor\r\nNetworks. An additional tie between the activity is the Poison Ivy C2 'jackhex.md5c[.]net', as \"jackhex\" is not a\r\ncommon word or phrase and is also seen in the beacon activity with the previously discussed 9002 sample.\r\nIn addition to those noted in the blog by Arbor Networks, we found several other Poison Ivy samples using the\r\nsame mutex, created by the same parent processes, and using most of the same C2 infrastructure. However, the\r\nsamples we collected lack campaign IDs and all use \"version2013\" as the password to encrypt its\r\ncommunications. The additional Poison Ivy samples also provided us three new C2 domains:\r\nouthmail[.]com\r\nmxdnsv6[.]com\r\nmicrosoftserve[.]com\r\nAlso, some of the C2 domains associated with these Poison Ivy samples were registered with emails that were\r\nused to register the following possibly related domains:\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 7 of 9\n\ngooledriveservice[.]com\r\nqueryurl[.]com\r\nappupdatemoremagic[.]com\r\nWhile we do not have complete targeting information associated with these samples, several of the decoy files\r\nwere in Chinese and appear to be part of a recent and possibly ongoing campaign targeting organizations in\r\nTaiwan. The decoy themes centered primarily around cross-strait relations and the Taiwanese Mainland Affairs\r\nCouncil (MAC), which is a cabinet-level organization tasked with creating, implementing, and overseeing policies\r\nbetween Taiwan and the People's Republic of China (PRC).\r\nConclusion\r\nThe use of Google Drive to host malicious files is not a new tactic in attacks. However, using a well-known\r\nhosting platform may allow the downloading of a payload to blend into other legitimate traffic from the hosting\r\nprovider. The actors still use spear phishing as their primary attack method, but because that technique has been so\r\nwell publicized, intended victims are perhaps more cautious about opening suspicious email attachments or links.\r\nAs spear phishing becomes less successful, threat actors need to continue to adapt and find new methods to\r\nsuccessfully deliver malware. The use of a URL shortening service and a redirection server further aids the\r\nchances of a successful attack, as it becomes more challenging to determine the validity of the link within an email\r\ndue to the way link shorteners obfuscate link content.\r\nThe files used in these attacks are properly classified as malware by WildFire. AutoFocus customers can find out\r\nmore about both 9002 and Poison Ivy via the respective malware family tags.\r\nIOCs\r\n9002 samples\r\nC11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3\r\n49ac6a6c5449396b98a89709b0ad21d078af783ec8f1cd32c1c8b5ae71bec129\r\nPoison Ivy samples\r\n193ae4da14874aa29902052d08064395afa5e4763f949e7369157d893fa08653\r\nac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2\r\n12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8\r\n0940602e7d47941f36c975afa9d2c6b1b0d2bd15bbea6ad4baf0f828420d72bf\r\n6bdd45cb6c021512c203cf01a051dce28449e364627e1366412c0051094f60a0\r\nf0ab826ea65b4a9eb66528ad74c4d3e747c1ecebfca6bdafd2504e0f794195d9\r\ne2fb4a53e54774f1645c940f905e76beb5fc729e9e968b736b8377312cb2454a\r\n0af768b4ba8fe7aac7a7da7fd5f21e7496d5617dccdf2321f526fd1091d64a6d\r\nfd21cd1846f25d42b1997ec1fd5ae6e14ea9b5bb0161ab7edf0ce184174e6da6\r\n12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8\r\n08dee1f5ced372716ad5c6e3f2041bcdeb25e905efc19d3749fe637d0a589ccc\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 8 of 9\n\n269c03e205c403ab8fa1033caa1c8e3a86a1495cc33a7f3a3a3c9b8a9ea77490\r\n3a9ab623c8a0a9f6c65e108e83c90da7620d2d6b22192c857556117587d0d038\r\nC2 Domains\r\nlogitechwkgame[.]com\r\njackhex.md5c[.]net\r\nwebserver.servehttp[.]com\r\nadmin.nslookupdns[.]com\r\nouthmail[.]com\r\nmxdnsv6[.]com\r\nmicrosoftdefence[.]com\r\nmicrosoftserve[.]com\r\ngooledriveservice[.]com\r\nqueryurl[.]com\r\nappupdatemoremagic[.]com\r\nSource: http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nhttp://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/"
	],
	"report_names": [
		"unit-42-attack-delivers-9002-trojan-through-google-drive"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5fe8c526f33bdea3d393b6a633923154895ef9b.pdf",
		"text": "https://archive.orkl.eu/b5fe8c526f33bdea3d393b6a633923154895ef9b.txt",
		"img": "https://archive.orkl.eu/b5fe8c526f33bdea3d393b6a633923154895ef9b.jpg"
	}
}