Malware

NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan

Clock Icon 7 min read
Related Products

Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China. A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in Beijing, China. In this report, we’ll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan.

On December 12, 2015, a spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan. The body and subject of the email suggests that the email was spoofed to look like it was sent by the Russian Foreign Ministry and the attachment may contain an official annual report on CHS (Council of Heads of Member States), who form the SCO (Shanghai Cooperation Organization).

Filename: “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” (translated to: “2015.12.11_sroki CHS in 2015 Ufe.doc.doc”)

Body: “С уважением, ДАТС МИД России” (translated to: “Yours faithfully, ACSD Russian Foreign Ministry”)

It is interesting to note the reference of Ufa in the file name, as the city of Ufa in Russia hosted the SCO BRICS Summit on July 9 and 10, 2015. SCO and BRICS (Brazil, Russia, India, China and South Africa) are intergovernmental international organizations focused on issues of regional security and economic cooperation.

diplomat 1

Figure 1 Leaders of member nations at the 2015 Summit in Ufa

TARGETING AND MALWARE ANALYSIS

Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan.

diplomat 2

Figure 2 Email containing the malicious attachment

The malicious attachment “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” is a malicious document created by the MNKit toolkit and exploits CVE-2012-0158.

Upon successful exploitation, the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique. The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data.

The DLL side-loading attack technique has been gaining adoption within the cyber espionage realm by threat actors to bypass traditional security systems. Unit 42 also published a blog last year discussing an unrelated attack where the DLL side-loading technique was used.

Figure 3 illustrates the exploitation and the infection flow of the malware.

diplomat 3

Figure 3 Overview of the infection flow

The document “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” exploits CVE-2012-0158 to drop a decoy file “~$.doc” and the actual payload “DW20.exe”. The decoy is a blank document with the meta data stripped.

The payload (DW20.exe) is a self-extracting (SFX) RAR archive that contains the following files:

RasTls.exe
rastls.dll
Sycmentec.config

diplomat 4

Figure 4 The payload(DW20.exe) is a SFX RAR archive

The SFX RAR uses the following configuration to launch the embedded executable, which is a legitimate application created by Symantec that will side load the rastls.dll DLL:

Setup=RasTls.exe
TempMode
Silent=1
Overwrite=1

The figure below shows that the config file, ‘Sycmentec.config’ is encrypted.

The ‘Sycmentec.config’ file can be decrypted using a single byte XOR algorithm using ‘0x77’ as a key.

diplomat 5

Figure 5 Encrypted ‘Sycmentec.config’file

The ‘rastls.dll’ DLL will load and decrypt this file. The decrypted data starts with shellcode that is responsible for loading an embedded DLL and executing it.

Figure 6 shows the decrypted ‘Sycmentec.config’file containing an embedded DLL.

diplomat 6

Figure 6 Decrypted Sycmentec.config’ file contains an embedded DLL

The embedded DLL is the functional payload, which is a variant of the NetTraveler Trojan that has the following attributes:

Size 52736 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Architecture 32 Bits binary
MD5 3e3df4fe831d87d7f52f14933e464fc3
SHA1 cce65a0b67674a313091a947506ceb91d30605ad
SHA256 3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757
ssdeep 1536:jxKW1S8mWKFU7U9lYjhjXwVqTvS/G405:wCBmUw9lAhLWqW/G40
imphash 85ce31f87f06b02fec915d33d82958e8
Date 0x564B2B07 [Tue Nov 17 13:26:31 2015 UTC]
CRC:(Claimed) 0x0, (Actual): 0x19be0 [SUSPICIOUS]
Packers Armadillo v1.xx - v2.xx
Entry Point 0x1000970b .text 1/5

Table 1 Attributes of the embedded DLL (NetTraveler)

The first execution of this NetTraveler Trojan starts off with an installation process. Like previous versions, this NetTraveler sample writes its configuration to a file, in this case the configuration is written to a file named "config.dat".

diplomat 7

Figure 7 NetTraveler writes the configuration to config.dat’ file

During execution, NetTraveler creates a mutex of ‘YOYWOW!657’, as shown in Figure 8 below to avoid running multiple instances of its code.

diplomat 8

Figure 8 Mutex created for this NetTraveler payload

The code then enumerates the 'netsvcs' services, which are services that run within the process space of svchost.exe, specifically ignoring services named ‘6to4’ and ‘Ias’ as these services have been used by other malware families.

When it finds another netsvcs service with a name not matching these two names, it will delete the file associated with the service and copy the ‘rastls.dll’ file to that folder using ‘<service name>ve.dll’ as the filename as shown in Figure 9 below.

diplomat 9

Figure 9 Code enumerating ‘netsvcs’ services

diplomat 10

Figure 10 Renamed ‘rastls.dll’ DLL

 The malware will then change the binary path of the service to point to this new filename and copies the "Sycmentec.config" file to the same folder and the ‘config.dat’ file to the following location:

c:\windows\system\CERTAPL.DLL

The NetTraveler payload relies on the ‘rastls.dll’ file to obtain its C2 server. At first glance, the NetTraveler payload appears as if it will use the following URL for its C2 server:

http://192.168.3[.]201/downloader2013/asp/downloader.asp

However, the NetTraveler payload reads the last ‘0xb0’ bytes from the rastls.dll file and uses it to create the "config.dat" file that is later saved to "CERTAPL.DLL". This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files.

diplomat 11

Figure 11 Code snippet showing NetTraveler obtaining its configuration from rastls.dll.

The configuration file is structured as an ".ini" file as the Trojan uses GetPrivateProfileStringA to parse the contents. The configuration file has the following contents:

Unit 42 analyzed the sample and found the following configuration fields that could appear in the CERTAPL.DLL configuration file and a brief description of each field:

The "U00P" and "K00P" values are decrypted using a simple algorithm that subtracts the index and then subtracts ten from each character, which is depicted in the following:

These two fields decrypt to the following, the U00P value being the C2 URL and the K00P value being the basis for an encryption key for the DES algorithm:

U00P: http://www.voennovosti.com/optdet/index.asp (decrypted)

K00P: NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM (decrypted)

The C2 server will respond to requests issued by the Trojan with commands to carry out activities on the compromised system. We analyzed the code within NetTraveler that handles commands issued by the C2 server and found four available commands that are listed in Table 2.

Command Description
<Unique System ID>:UNINSTALL Deletes %APPDATA%\cert2013.dat and %STARTUP%\consent.lnk and exits the process. This attempts to uninstall the Trojan, but will not work as the filenames are not used by this version of NetTraveler
<Unique System ID>:RUN_REBOOT Reboots the system
<Unique System ID>:RUN_STARTUP Downloads a file to %TEMP%\Temp.bmp and copies it to the startup folder
<Unique System ID>:RUN_DIRECT Download a file to %TEMP%\tmp.bmp and execute it

Table 2 Commands available within NetTraveler and a description of their functionality

INFRASTRUCTURE

At the time of analysis, the domain voennovosti[.]com was resolving to IP ‘98.126.38[.]107’, which is hosted by Krypt Technologies. A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies. This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler.

diplomat 12

Figure 12 DNS query for voennovosti[.]com resolves to ‘98.126.38.107’

diplomat 13

Figure 13 Encoded network communications

CONCLUSION

NetTraveler has been used to target diplomats, embassies and government institutions for over a decade, and remains the tool of choice by the adversaries behind these cyber espionage campaigns. The use of NetTraveler for such a long period of time shows its effectiveness and success by the adversaries in targeting their victims with impunity.

As seen in this case, the threat actors continue to evolve and employ new techniques within their modus operandi, like ‘DLL side-loading’ to install malware. It is likely that the use of ‘DLL side loading’ attack technique will increase due to it’s effectiveness to bypass traditional security systems.

It is essential to raise awareness on such attacks to better protect organizations from adversaries who maybe backed by nation states.

WildFire correctly classifies NetTraveler as malicious. AutoFocus tags are created to identify NetTraveler samples and respective IOCs are added to Palo Alto Networks Threat Prevention.

INDICATORS

SHA256 Hash File Name
3f4fcde99775b83bc88d30ca99f5c70c1dd8b96d970dbfd5a846b46c6ea3e534 2015.12.11_сроки СГГ 2015 в Уфе.doc.doc
001fff6c09497f56532e83e998aaa80690a668883b6655129d408dd098bd1b4b DW20.exe
74db11900499aa74be9e62d51889e7611eb8161cd141b9379e05eeca9d7175c9 rastls.dll
8f6af103bf7e3201045ce6c2af41f7a17ef671f33f297d36d2aab8640d00b0f0 Sycmentec.config
495bb9c680f114b255f92448e784563e4fd34ad19cf616cc537bec6245931b7e config.dat
41650cb6b4ae9f06c92628208d024845026c19af1ab3916c99c80c6457bd4fa9 CERTAPL.DLL
3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757 (NetTraveler DLL payload)

Command and Control

voennovosti[.]com
98.126.38[.]107

REFERENCES

Enlarged Image