9002

9002 is a remote access Trojan (RAT) / backdoor family used in multiple China-linked espionage campaigns. Reporting ties it to the Sunshop ecosystem and to broader shared malware-development infrastructure that FireEye called the Sunshop Digital Quartermaster (SDQ). It has also been listed among tools used by BRONZE UNION / Emissary Panda / APT27. FireEye collected 70 Trojan.APT.9002 binaries across linked campaigns observed from July 2011 to September 2013, and identified a Chinese-language "9002 Builder" used to generate variants.

Observed delivery vectors include strategic web compromise and spearphishing. In the Sunshop Campaign, compromised websites redirected victims to exploits for CVE-2013-1347, CVE-2013-2423, and CVE-2013-1493, which dropped 9002 payloads. Documented samples include MD5 b0ef2ab86f160aa416184c09df8388fe connecting to dns[.]homesvr[.]tk, MD5 d99ed31af1e0ad6fb5bf0f116063e91f connecting to asp[.]homesvr[.]linkpc[.]net, and MD5 42bd5e7e8f74c15873ff0f4a9ce974cd connecting to ssl[.]homesvr[.]tk; these domains resolved to 58.64.205.53. Proofpoint also observed a targeted spearphishing campaign using a malicious DOCX ("game of thrones preview.docx") containing an embedded LNK that launched PowerShell, downloaded XOR/base64-obfuscated payloads, and installed a diskless 9002 RAT by injecting shellcode into wabmig.exe. Persistence was established via a Startup-folder LNK named UpdateCheck.lnk. Related 2014 activity used similar LNK downloaders and, in some cases, a Java payload named PhotoShow.jar to execute a diskless 9002 variant.

Capabilities directly described in the source material include remote access functionality, shellcode-based in-memory execution, process injection into legitimate Windows binaries, persistence via LNK files, HTTP communications, and a "fake SSL" protocol. The fake SSL traffic used hardcoded Client_Hello and Client_Key_Exchange packets and attempted to mimic traffic to login.live[.]com by placing that domain in the SNI field. HTTP POST data was encoded with a custom algorithm and then base64-encoded; the variant used hardcoded headers, a User-Agent of "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", and URIs including /?FORM=Desktop&setmkt=en-us&setlang=en-us and /config/signin, with support for dynamically generated /%x.htm? URIs. Proofpoint described the encoding as an iteration of FireEye's previously analyzed 4-byte XOR 9002 variant, using a static 38-byte seed to generate a 256-byte XOR key combined with a dynamic 4-byte XOR key.

FireEye's analysis of the 9002 Builder indicates centralized tooling for creating variants. The builder title bar contained "[User_Server_Builder] update 2012-7-21" and supported configuration of primary and secondary C2, an ID (default "1"), an internet health-check domain (default update.microsoft.com), and proxy settings. The builder stored a server executable in PE resources under BIN, used a configuration block in the .data section with simple single-byte XOR encryption, and wrote configuration to HKCU\Software\Classes\sysinfo. FireEye also reported 24 9002 samples signed with a stolen or otherwise revoked/expired Mgame Corp certificate.

Known infrastructure and indicators mentioned in the content include C2 domains dns[.]homesvr[.]tk, asp[.]homesvr[.]linkpc[.]net, ssl[.]homesvr[.]tk, engage[.]intelfox[.]com, ru[.]pad62[.]com, tank[.]hja63[.]com, dtl[.]eatuo[.]com, dtl6[.]mooo[.]com, dtl[.]dnsd[.]me, and mx[.]i26[.]org; IP 27.255.83[.]3 with URLs http://27.255.83[.]3/x/ and http://27.255.83[.]3/y/; and import-table-linked infrastructure including ieee[.]boeing-job[.]com, lol[.]dns-lookup[.]us, twn[.]ftpmicrosoft[.]com, piping[.]no-ip[.]org, wv[.]downmicrisoft[.]com, mx[.]downmicrisoft[.]com, update1[.]mysq1[.]net, phpweb[.]zapto[.]org, and others. Reported targets across linked campaigns spanned 15 industries, including high-tech, financial services, telecommunications, federal government, and state/local government; BRONZE UNION reporting additionally cites government, technology, manufacturing, and NGO victims. Proofpoint assessed a possible connection between some 9002 activity and Deputy Dog / APT17, but stated it lacked definitive proof.