NetTraveler APT Gets a Makeover for 10th Birthday

We have written about NetTraveler before HERE and HERE.

Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.

Here’s an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.

NetTraveler_1

The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.

File name“Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc”
MD5b2385963d3afece16bd7478b4cf290ce
Size381,667 bytes

The .DOC file, which in reality is a “Single File Web Page” container, also known as “Web archive file”, appears to have been created on a system using Microsoft Office – Simplified Chinese.

It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.

If run on a vulnerable version of Microsoft Office, it drops the main module as “net.exe” (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into “%SystemRoot%\system32\Windowsupdataney.dll“, (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).

NameWINDOWSUPDATANEY.DLL
MD5c13c79ad874215cfec8d318468e3d116
Size37,888 bytes

It is registered as a service (named “Windowsupdata”) through a Windows Batch file named “DOT.BAT” (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):

To make sure the malware isn’t running multiple times, it uses the mutex “SD_2013 Is Running!” to mark its presence in the system. Other known mutexes used by older and current variants include:

  • Boat-12 Is Running!
  • DocHunter2012 Is Running!
  • Hunter-2012 Is Running!
  • NT-2012 Is Running!
  • NetTravler Is Running!
  • NetTravler2012 Is Running!
  • SH-2011 Is Running!
  • ShengHai Is Running!
  • SD2013 is Running!

The malware configuration file is written to the “SYSTEM” folder (as opposed to SYSTEM32) and has a slightly new format compared to “older” NetTraveler samples:

NetTraveler_2

For the record, here’s what an older NetTraveler config file looks like:

NetTraveler_3

Obviously, the developers behind NetTraveler have taken steps to try to hide the malware’s configuration. Luckily, the encryption is relatively simple to break.

The algorithm is as follows:

for (i=0;i
decrypted[i]=encrypted[i] – (i + 0xa);

Once decrypted, the new config looks like this:

NetTraveler_4

One can easily see the command-and-control (C&C) server in the screenshot above, which is “uyghurinfo[.]com“.

We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:

C&C serverIPIP locationRegistrar
ssdcru[.]com103.30.7.77Hong Kong, Albert Heng, Trillion CompanySHANGHAI MEICHENG TECHNOLOGY
uygurinfo[.]com216.83.32.29United States, Los Angeles, Integen IncTODAYNIC.COM
INC.
samedone[.]com122.10.17.130Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp DatacenterSHANGHAI MEICHENG TECHNOLOGY
gobackto[.]net103.1.42.1Hong Kong, Sun Network (hong Kong) LimitedSHANGHAI MEICHENG TECHNOLOGY
worksware[.]netN/AN/ASHANGHAI MEICHENG TECHNOLOGY
jojomic[.]comwas
202.146.219.14
Hong Kong, Sun Network (hong Kong) LimitedSHANGHAI MEICHENG TECHNOLOGY
angellost[.]netwas 103.17.117.201hong kong hung tai international holdingsSHANGHAI MEICHENG TECHNOLOGY
husden[.]comwas 103.30.7.76hong kong hung tai international holdingsSHANGHAI MEICHENG TECHNOLOGY

We recommend blocking all these hosts in your firewall.

Conclusion

This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.

NetTraveler_5

For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.

NetTraveler_6

NetTraveler victims by industry

Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.

The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *