Authors
At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. So, with this intelligence ready we are sharing our findings in this blog to supplement Palo Alto’s research with additional details.
Technical Details
| MD5 | SIZE | LINKER | COMPILED ON |
| 7643335D06BAEC5A14C95A393592EA3F | 164352 | 11.0 | 2016-10-14 06:21:07 |
The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.
First of all, we detected numerous malicious documents being used in spear-phishing attacks with file names suggesting Russian-speaking targets with executables maintained in encrypted form:
This encryption method has been well known for a long time – it was first used in exploit documents to conceal Enfal, then we discovered this backdoor – Travle. Later documents with such encryption started maintaining another one APT family – Microcin. Travle C2 domains often overlap with those of Enfal. In regard to NetTraveler, at some point Enfal samples started using the same encryption method for maintaining the C2 URL as was used in NetTraveler:
Enfal sample with NetTraveler-like C2 string encryption
So, clearly these backdoors – Enfal, NetTraveler, Travle and Microcin – are all related to each other and are believed to have Chinese-speaking origins. And after finding the string “Travel path failed!” we believe that the Travle backdoor could be intended as a successor to the NetTraveler malware.
The malware starts by initializing the following variables:
%TEMP%\KB287640\ – local malware drop-zone
%TEMP%\KB887209\ – plugins storage
<malware install path>\~KB178495.DAT – configuration file path
Surprisingly, these paths remain the same in all samples of this family. If no configuration file is found, Travle reads the default settings from its resource “RAW_DATA“. Settings are maintained in an encrypted form. Here is the code for decryption:
for (i = size – 1; i > 1; –i)
buf[i] ^= buf[i – 2]
The storage format for the configuration block is as follows:
| Offset | Size | Value |
| 0 | 0x81 | C2 domain |
| 0x102 | 0x81 | C2 URL path |
| 0x204 | 2 | C2 port (not used) |
| 0x206 | 0xB | not used |
| 0x21C | 0xB | Sample ID |
| 0x232 | 0x401 | Bot’s first RC4 key |
| 0xA34 | 0x401 | Bot’s second RC4 key |
| 0x1238 | 2 | not used |
The described sample maintains the following configuration data:
| Field | Value |
| C2 domain | remember123321.com |
| C2 URL path | /zzw/ash.py |
| Sample ID | MjdfS0584 |
| 1st RC4 key | mffAFe4bgaadbAzpoYRf |
| 2nd RC4 key | mffAFe4bgaadbAzpoYRf |
The Travle backdoor starts its communication with the C2 by sending gathered information about the target operating system in an HTTP POST request to a URL built using the C2 domain and the path specified in the settings. The information sent includes the following data:
- UserID – based on the computer name and IP-address
- Computer name
- Keyboard layout
- OS version
- IP-addresses
- MAC-address
Once the C2 receives the first packet, it responds with a block of data containing the following information:
- URL path for receiving commands
- URL path for reporting on command execution results
- URL path for downloading files from C2
- URL path for uploading files to C2
- C2 second RC4 key
- C2 first RC4 key
- C2 ID
After this packet has been received, Travle waits for additional commands from the server.
Communication encryption
The ciphering algorithm depends on the type of transmitted object. There are three possible variants:
- Data
- Data is ciphered with Base64
- The resulting string is appended to the header with a size of 0x58 bytes
- The resulting buffer is ciphered by RC4 with the C2 first RC4 key
- The resulting buffer is ciphered with Base64
- List of strings
- Each line is ciphered by RC4 with the C2 second RC4 key
- The resulting buffer is ciphered with Base64
- All the previously Base64-ciphered strings are merged in one delimited with \r\n”
- The resulting string is appended to the header with a size of 0x54 bytes
- The resulting buffer is ciphered by RC4 with the C2 first RC4 key
- The resulting buffer is ciphered with Base64
- File
- Compressed with LZO
- The resulting archive is ciphered with the C2 second RC4 key
Messages format
The header for the transmitted data is as follows:
| Offset (bytes) | Size (bytes) | Description |
| 0 | 0x14 | Random set of bytes |
| 0x14 | 4 | Data type / Command ordinal |
| 0x18 | 4 | NULL / Command ID |
| 0x1C | 4 | Size of data |
| 0x20 | 0x14 | Sample ID |
| 0x34 | 0x24 | User ID |
| 0x58 | Size of data | Data |
The file is transferred to the C2 in a POST request as a multipart content type with boundary “kdncia987231875123nnm“. All samples of Travle we have discovered use this value.
Message types – from bot to C2
The command ID is specified at offset 0x18 in the header.
Technical messages are as follows:
| ID | Description | Data content |
| 1 | Information about OS | Information about OS |
| 2 | Request for the first command | NULL |
| 3 | Request for the list of commands | NULL |
| 4 | Command is successfully executed | Information about command execution or the name of transmitted file |
| 5 | Command execution failed | Information about an error |
Operational messages are as follows:
| ID | Description | Data content |
| 1 | Bot sends the list of files in the requested directory | The list of files |
| 11 | Bot sends the content of the requested file | The content of the file |
Message types – from C2 to bot
In case of bot sending POST request C2 responses with data of following format:
| ID | Description | Data content |
| 0 | Information about C2 | The list of C2 parameters |
| 1 | Commands | The list of commands |
Bot also may send GET request for retrieving a specific file from the server. In this case, C2 responses with the requested file.
General communication between bot and C2
Interaction with C2 includes two stages:
1st (automatic – carried out with no operator actions). It consists of:
- Sending information about the OS
- Receiving information about C2
- Sending a request for the first command
- Receiving the command with ordinal 1 and first argument “*”
- Sending the request for the next command
2nd (carried out by operators). It consists of:
- Sending commands to the bot
- Sending files to the bot
- Sending results of the executed commands to the C2
Commands – general bot functionality
| Ordinal | Arguments | Action |
| Scan File System | ||
| 1 | Path | In case of “Path” is not “*”, the bot collects the list of files and folders in the specified directory with creation date between specified values and files with an “Encrypted” attribute. If the “Path” is “*”, the search for files and folders is done in complete file system. In any case, the search is recursive. |
| Minimum date | ||
| Maximum date | ||
| Run Process | ||
| 2 | Path to the batch or executable file | The bot executes specified batch file or application with passed arguments. |
| Command line arguments | ||
| File Presence Test | ||
| 4 | File name | The bot examines if specified file exists. |
| Delete File | ||
| 3 | File name | File deletion. |
| Rename File | ||
| 5 | Old file name | File renaming. |
| New file name | ||
| Move File | ||
| 6 | Old path | File moving. |
| New path | ||
| Create New Config | ||
| 7 | Content of the new configuration | The bot creates the file with new configuration. |
| Process File With Batch | ||
| 48 | Batch script | The bot sends GET request to the C2 for downloading a file specified in one command argument. Batch script received in another command argument is saved in the file and executed with a parameter – file name of the downloaded file. |
| File path | ||
| Run Batch | ||
| 49 | Batch script | The bot receives a BAT-file and executes it. |
| Download File | ||
| 16 | File path | The bot sends a GET request for downloading a file. The file is saved with the specified name and location. |
| Upload File | ||
| 17 | File path | The bot sends the content of a requested file in a POST message. |
| Download And Run Plugin | ||
| 32 | Plugin name | The bot sends a GET request for downloading Plugin (DLL). Plugin is saved in the file system and launched with the use of the LoadLibrary API function. |
| Plugin argument | ||
| Unload Plugin | ||
| 33 | Plugin name | The bot unloads a plugin library from memory. |
| Delete Plugin | ||
| 34 | Plugin name | The bot unloads a plugin from memory and deletes the plugin file. |
| Load And Run Plugin | ||
| 35 | Plugin name | The bot loads a plugin in memory with a specified parameter. |
| Plugin argument | ||
Plugins
Unfortunately, we have been unable to receive plugins from any C2 found in examined Travle samples, but after analyzing the code of Travle we can briefly describe how they are handled.
Plugins are handled with the use of commands 32-35. From all the analyzed Travle samples, we found out that not every Travle sample is able to work with plugins.
Each plugin DLL is saved in a file and loaded with the use of the LoadLibrary API function. The DLL should export three functions: GetPluginInfo, Starting and FreeMemory. These functions are invoked one-by-one at the plugin DLL loading stage. When Travle has to unload the plugin DLL it calls the FreeLibrary API function.
In all analyzed Travle samples, plugins are saved in the same location: %TEMP%\KB887209\.
Conclusion
The actor or actors responsible for the Travle attack has been active during the last few years, apparently not worried about being tracked by AV companies. Usually, modifications and new additions to their arsenal are discovered and detected quite quickly. Still, the fact that they didn?t really need to change their TTPs during all these years seems to suggest that they don?t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks.
We detect Travle samples with the following verdicts:
Trojan.Win32.Tpyn.*
Trojan.Win32.TravNet.*
Trojan-Spy.Win32.TravNet.*
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.TravNet.gen
HEUR:Backdoor.Win32.NetTraveler.gen
More information about the Travle APT is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com
Authors
From the same authors
In the same category
Travle aka PYLOT backdoor hits Russian-speaking targets