Malware

NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan

7 min read

TARGETING AND MALWARE ANALYSIS

Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan.

Figure 2 Email containing the malicious attachment

The malicious attachment “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” is a malicious document created by the MNKit toolkit and exploits CVE-2012-0158.

Upon successful exploitation, the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique. The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data.

The DLL side-loading attack technique has been gaining adoption within the cyber espionage realm by threat actors to bypass traditional security systems. Unit 42 also published a blog last year discussing an unrelated attack where the DLL side-loading technique was used.

Figure 3 illustrates the exploitation and the infection flow of the malware.

Figure 3 Overview of the infection flow

The document “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” exploits CVE-2012-0158 to drop a decoy file “~$.doc” and the actual payload “DW20.exe”. The decoy is a blank document with the meta data stripped.

The payload (DW20.exe) is a self-extracting (SFX) RAR archive that contains the following files:

RasTls.exe
rastls.dll
Sycmentec.config

Figure 4 The payload(DW20.exe) is a SFX RAR archive

The SFX RAR uses the following configuration to launch the embedded executable, which is a legitimate application created by Symantec that will side load the rastls.dll DLL:

Setup=RasTls.exe
TempMode
Silent=1
Overwrite=1

The figure below shows that the config file, ‘Sycmentec.config’ is encrypted.

The ‘Sycmentec.config’ file can be decrypted using a single byte XOR algorithm using ‘0x77’ as a key.

Figure 5 Encrypted ‘Sycmentec.config’file

The ‘rastls.dll’ DLL will load and decrypt this file. The decrypted data starts with shellcode that is responsible for loading an embedded DLL and executing it.

Figure 6 shows the decrypted ‘Sycmentec.config’file containing an embedded DLL.

Figure 6 Decrypted ‘Sycmentec.config’ file contains an embedded DLL

The embedded DLL is the functional payload, which is a variant of the NetTraveler Trojan that has the following attributes:

Size	52736 bytes
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Architecture	32 Bits binary
MD5	3e3df4fe831d87d7f52f14933e464fc3
SHA1	cce65a0b67674a313091a947506ceb91d30605ad
SHA256	3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757
ssdeep	1536:jxKW1S8mWKFU7U9lYjhjXwVqTvS/G405:wCBmUw9lAhLWqW/G40
imphash	85ce31f87f06b02fec915d33d82958e8
Date	0x564B2B07 [Tue Nov 17 13:26:31 2015 UTC]
CRC:(Claimed)	0x0, (Actual): 0x19be0 [SUSPICIOUS]
Packers	Armadillo v1.xx - v2.xx
Entry Point	0x1000970b .text 1/5

Table 1 Attributes of the embedded DLL (NetTraveler)

The first execution of this NetTraveler Trojan starts off with an installation process. Like previous versions, this NetTraveler sample writes its configuration to a file, in this case the configuration is written to a file named "config.dat".

Figure 7 NetTraveler writes the configuration to ‘config.dat’ file

During execution, NetTraveler creates a mutex of ‘YOYWOW!657’, as shown in Figure 8 below to avoid running multiple instances of its code.

Figure 8 Mutex created for this NetTraveler payload

The code then enumerates the 'netsvcs' services, which are services that run within the process space of svchost.exe, specifically ignoring services named ‘6to4’ and ‘Ias’ as these services have been used by other malware families.

When it finds another netsvcs service with a name not matching these two names, it will delete the file associated with the service and copy the ‘rastls.dll’ file to that folder using ‘<service name>ve.dll’ as the filename as shown in Figure 9 below.

Figure 9 Code enumerating ‘netsvcs’ services

Figure 10 Renamed ‘rastls.dll’ DLL

The malware will then change the binary path of the service to point to this new filename and copies the "Sycmentec.config" file to the same folder and the ‘config.dat’ file to the following location:

c:\windows\system\CERTAPL.DLL

The NetTraveler payload relies on the ‘rastls.dll’ file to obtain its C2 server. At first glance, the NetTraveler payload appears as if it will use the following URL for its C2 server:

http://192.168.3[.]201/downloader2013/asp/downloader.asp

However, the NetTraveler payload reads the last ‘0xb0’ bytes from the rastls.dll file and uses it to create the "config.dat" file that is later saved to "CERTAPL.DLL". This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files.

Figure 11 Code snippet showing NetTraveler obtaining its configuration from rastls.dll.

The configuration file is structured as an ".ini" file as the Trojan uses GetPrivateProfileStringA to parse the contents. The configuration file has the following contents:

[OOOOOO]
U00P=r^?<80>}H>?<88><89><8A>B<8B><85>|<86><87><89><91><8B><90><92><88>N<84><91><90>S<94><96><9B><8C><8E><9E>Z<95><9B><92><94><A8>_<93><A6><A4>
K00P=XLMNOPQRSTUVWXYZ[\]^_`abcdefghiv
P00D=5
F00G=True
MM1=0
MM6=1

[OOOOOO]

U00P=r^?<80>}H>?<88><89><8A>B<8B><85>|<86><87><89><91><8B><90><92><88>N<84><91><90>S<94><96><9B><8C><8E><9E>Z<95><9B><92><94><A8>_<93><A6><A4>

K00P=XLMNOPQRSTUVWXYZ[\]^_`abcdefghiv

P00D=5

F00G=True

MM1=0

MM6=1

Unit 42 analyzed the sample and found the following configuration fields that could appear in the CERTAPL.DLL configuration file and a brief description of each field:

U00P = C2 URL
K00P = Key for DES
P00D = Sleep interval in minutes
F00G = Boolean to determine if sample should use proxy to communicate with C2 server
MM1 = 0 or 1 if proxy is configured or not.
MM3 = Port for configured proxy
MM4 = Username for configured proxy
MM5 = Password for configured proxy
MM6 = 1 if Trojan is installed correctly

U00P = C2 URL

K00P = Key for DES

P00D = Sleep interval in minutes

F00G = Boolean to determine if sample should use proxy to communicate with C2 server

MM1 = 0 or 1 if proxy is configured or not.

MM3 = Port for configured proxy

MM4 = Username for configured proxy

MM5 = Password for configured proxy

MM6 = 1 if Trojan is installed correctly

The "U00P" and "K00P" values are decrypted using a simple algorithm that subtracts the index and then subtracts ten from each character, which is depicted in the following:

def subtraction_algo(ct):
  out = ""
  i = 0
  for e in ct:
    out += chr(ord(e)-i-10)
    i += 1
  return out

def subtraction_algo(ct):

out = ""

i = 0

for e in ct:

out += chr(ord(e)-i-10)

i += 1

return out

These two fields decrypt to the following, the U00P value being the C2 URL and the K00P value being the basis for an encryption key for the DES algorithm:

U00P: http://www.voennovosti.com/optdet/index.asp (decrypted)

K00P: NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM (decrypted)

The C2 server will respond to requests issued by the Trojan with commands to carry out activities on the compromised system. We analyzed the code within NetTraveler that handles commands issued by the C2 server and found four available commands that are listed in Table 2.

Command	Description
<Unique System ID>:UNINSTALL	Deletes %APPDATA%\cert2013.dat and %STARTUP%\consent.lnk and exits the process. This attempts to uninstall the Trojan, but will not work as the filenames are not used by this version of NetTraveler
<Unique System ID>:RUN_REBOOT	Reboots the system
<Unique System ID>:RUN_STARTUP	Downloads a file to %TEMP%\Temp.bmp and copies it to the startup folder
<Unique System ID>:RUN_DIRECT	Download a file to %TEMP%\tmp.bmp and execute it

Table 2 Commands available within NetTraveler and a description of their functionality

INFRASTRUCTURE

At the time of analysis, the domain voennovosti[.]com was resolving to IP ‘98.126.38[.]107’, which is hosted by Krypt Technologies. A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies. This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler.

Figure 12 DNS query for voennovosti[.]com resolves to ‘98.126.38.107’

Figure 13 Encoded network communications

CONCLUSION

NetTraveler has been used to target diplomats, embassies and government institutions for over a decade, and remains the tool of choice by the adversaries behind these cyber espionage campaigns. The use of NetTraveler for such a long period of time shows its effectiveness and success by the adversaries in targeting their victims with impunity.

As seen in this case, the threat actors continue to evolve and employ new techniques within their modus operandi, like ‘DLL side-loading’ to install malware. It is likely that the use of ‘DLL side loading’ attack technique will increase due to it’s effectiveness to bypass traditional security systems.

It is essential to raise awareness on such attacks to better protect organizations from adversaries who maybe backed by nation states.

WildFire correctly classifies NetTraveler as malicious. AutoFocus tags are created to identify NetTraveler samples and respective IOCs are added to Palo Alto Networks Threat Prevention.

INDICATORS

SHA256 Hash	File Name
3f4fcde99775b83bc88d30ca99f5c70c1dd8b96d970dbfd5a846b46c6ea3e534	2015.12.11_сроки СГГ 2015 в Уфе.doc.doc
001fff6c09497f56532e83e998aaa80690a668883b6655129d408dd098bd1b4b	DW20.exe
74db11900499aa74be9e62d51889e7611eb8161cd141b9379e05eeca9d7175c9	rastls.dll
8f6af103bf7e3201045ce6c2af41f7a17ef671f33f297d36d2aab8640d00b0f0	Sycmentec.config
495bb9c680f114b255f92448e784563e4fd34ad19cf616cc537bec6245931b7e	config.dat
41650cb6b4ae9f06c92628208d024845026c19af1ab3916c99c80c6457bd4fa9	CERTAPL.DLL
3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757	(NetTraveler DLL payload)