NetTraveler APT Gets a Makeover for 10th Birthday

We have written about NetTraveler before HERE and HERE.

Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.

Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.

NetTraveler_1

The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.

File name "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc"
MD5 b2385963d3afece16bd7478b4cf290ce
Size 381,667 bytes

The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese.

It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.

If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).

Name WINDOWSUPDATANEY.DLL
MD5 c13c79ad874215cfec8d318468e3d116
Size 37,888 bytes

It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):


To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include:

  • Boat-12 Is Running!
  • DocHunter2012 Is Running!
  • Hunter-2012 Is Running!
  • NT-2012 Is Running!
  • NetTravler Is Running!
  • NetTravler2012 Is Running!
  • SH-2011 Is Running!
  • ShengHai Is Running!
  • SD2013 is Running!

The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples:

NetTraveler_2

For the record, here's what an older NetTraveler config file looks like:

NetTraveler_3

Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break.

The algorithm is as follows:

for (i=0;i<string_size;i++)
decrypted[i]=encrypted[i] - (i + 0xa);

Once decrypted, the new config looks like this:

NetTraveler_4

One can easily see the command-and-control (C&C) server in the screenshot above, which is "uyghurinfo[.]com".

We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:

C&C server IP IP location Registrar
ssdcru[.]com 103.30.7.77 Hong Kong, Albert Heng, Trillion Company SHANGHAI MEICHENG TECHNOLOGY
uygurinfo[.]com 216.83.32.29 United States, Los Angeles, Integen Inc TODAYNIC.COM
INC.
samedone[.]com 122.10.17.130 Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp Datacenter SHANGHAI MEICHENG TECHNOLOGY
gobackto[.]net 103.1.42.1 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY
worksware[.]net N/A N/A SHANGHAI MEICHENG TECHNOLOGY
jojomic[.]com was
202.146.219.14
Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY
angellost[.]net was 103.17.117.201 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY
husden[.]com was 103.30.7.76 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY

We recommend blocking all these hosts in your firewall.

Conclusion

This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.

NetTraveler_5

For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.

NetTraveler_6

NetTraveler victims by industry

Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.

The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *