VERY IMPORTANT

Recently, we’ve seen a number of reports related to 9002 remote access Trojan (RAT). The Trojan drops a PowerPoint presentation that contains details about the 2nd Myanmar Industrial Human Resource Development Symposium. The Trojan’s technical details and the vectors of its propagation were recently described in the blog by Unit42 (1). The 9002 RAT is not new. First reports could be linked to Operation Aurora and dated back to 2009 (2). This variation of the Trojan was also mentioned in the 2013 FireEye blogs about the Sunshop campaign (3) and operation ephemeral hydra (4). In the latter case, the Trojan used a diskless method of operation and was notoriously more difficult to detect and track. The evolution of the Trojan continued as it was detailed in the post by Palo Alto Networks in June 2015, (5) and the threat intelligence briefing by ASERT(6) followed in July of the same year.