### 70 **attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan.** **On December 12, 2015, a spear-phishing email was sent to a diplomat of the Embassy of** **Uzbekistan. The body and subject of the email suggests that the email was spoofed to look like it** **was sent by the Russian Foreign Ministry and the attachment may contain an official annual** **[report on CHS (Council of Heads of Member States), who form the SCO (Shanghai Cooperation](https://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation)** **Organization).** **_Filename: “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” (translated to: “2015.12.11_sroki CHS_** **_in 2015 Ufe.doc.doc”)_** **_Body: “С уважением, ДАТС МИД России” (translated to: “Yours faithfully, ACSD Russian_** **_Foreign Ministry”)_** **It is interesting to note the reference of Ufa in the file name, as the city of Ufa in Russia hosted** **[the SCO BRICS Summit on July 9 and 10, 2015. SCO and BRICS (Brazil, Russia, India, China](http://ufa2015.com/)** **and South Africa) are intergovernmental international organizations focused on issues of** **regional security and economic cooperation.** **_Figure 1 Leaders of member nations at the 2015 Summit in Ufa_** **Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler** **Trojan.** |Col1|POSTED BY: Vicky Ray and Robert Falcone on January 21, 2016 8:45 AM| |---|---| |70|| |LLiikkee|FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: AutoFocus, NetTraveler, spearphishing, Trojan, Ufa, Ufe, Uzbekistan, WildFire Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China. A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in Beijing, China. In this report, we’ll review how the actors| |Tweet|| |2|| ## Traps v3.4: Good News for Breach Prevention in Government Environments **[posted by Pamela Warren on August 11, 2016](http://researchcenter.paloaltonetworks.com/author/pwarren/)** ## Are the Security Issues Facing the Industrial IoT Over-Hyped? **[posted by Rick Howard on August 10, 2016](http://researchcenter.paloaltonetworks.com/author/rick/)** ## Traps v3.4: New Features Help Prevent Cyberattacks on Banks **[posted by Lawrence Chin on August 9, 2016](http://researchcenter.paloaltonetworks.com/author/lawrence-chin/)** ## New Traps v3.4 Features Improve Protection in Healthcare Environments **[posted by Matt Mellen on August 8, 2016](http://researchcenter.paloaltonetworks.com/author/matt-mellen/)** ## A Powerful Combination: New Cyber Breach Prevention Offering **[posted by Eric Schou on August 8, 2016](http://researchcenter.paloaltonetworks.com/author/eric-schou/)** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** **Select a Category** **Select a Month** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** ## 2 ----- **Upon successful exploitation, the attachment will install the trojan known as NetTraveler using a** **[DLL side-loading attack technique. The NetTraveler trojan has been known to be used in](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf)** **[targeted cyber espionage attacks for more than a decade by nation state threat actors and](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/)** **continues to be used to target its victims and exfiltrate data.** **The DLL side-loading attack technique has been gaining adoption within the cyber espionage** **[realm by threat actors to bypass traditional security systems. Unit 42 also published a blog last](http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung-application-for-dll-side-loading/)** **year discussing an unrelated attack where the DLL side-loading technique was used.** **Figure 3 illustrates the exploitation and the infection flow of the malware.** **_Figure 3 Overview of the infection flow_** **The document “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” exploits CVE-2012-0158 to drop a** **decoy file “~$.doc” and the actual payload “DW20.exe”. The decoy is a blank document with the** **meta data stripped.** **The payload (DW20.exe) is a self-extracting (SFX) RAR archive that contains the following files:** **_RasTls.exe_** **_rastls.dll_** **_Sycmentec.config_** ----- **_Setup=RasTls.exe_** **_TempMode_** **_Silent=1_** **_Overwrite=1_** **The figure below shows that the config file, ‘Sycmentec.config’ is encrypted.** **The ‘Sycmentec.config’ file can be decrypted using a single byte XOR algorithm using ‘0x77’ as** **a key.** **_Figure 5 Encrypted ‘Sycmentec.config’file_** **The ‘rastls.dll’ DLL will load and decrypt this file. The decrypted data starts with shellcode that is** **responsible for loading an embedded DLL and executing it.** **Figure 6 shows the decrypted ‘Sycmentec.config’file containing an embedded DLL.** **_Figure 6 Decrypted ‘Sycmentec.config’ file contains an embedded DLL_** **The embedded DLL is the functional payload, which is a variant of the NetTraveler Trojan that** **has the following attributes:** **Size** **52736 bytes** **Type** **PE32 executable (DLL) (GUI) Intel 80386, for MS Windows** **Architecture** **32 Bits binary** **MD5** **3e3df4fe831d87d7f52f14933e464fc3** **SHA1** **cce65a0b67674a313091a947506ceb91d30605ad** **SHA256** **3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757** **ssdeep** **1536:jxKW1S8mWKFU7U9lYjhjXwVqTvS/G405:wCBmUw9lAhLWqW/G40** **imphash** **85ce31f87f06b02fec915d33d82958e8** **Date** **0x564B2B07 [Tue Nov 17 13:26:31 2015 UTC]** ----- **Packers** **Armadillo v1.xx – v2.xx** **Entry Point** **0x1000970b .text 1/5** **_Table 1 Attributes of the embedded DLL (NetTraveler)_** **The first execution of this NetTraveler Trojan starts off with an installation process. Like** **previous versions, this NetTraveler sample writes its configuration to a file, in this case the** **configuration is written to a file named “config.dat”.** **_Figure 7 NetTraveler writes the configuration to ‘config.dat’ file_** **During execution, NetTraveler creates a mutex of ‘YOYWOW!657’, as shown in Figure 8 below** **to avoid running multiple instances of its code.** **_Figure 8 Mutex created for this NetTraveler payload_** **The code then enumerates the ‘netsvcs’ services, which are services that run within the process** **space of svchost.exe, specifically ignoring services named ‘6to4’ and ‘Ias’ as these services** **have been used by other malware families.** **When it finds another netsvcs service with a name not matching these two names, it will delete** **the file associated with the service and copy the ‘rastls.dll’ file to that folder using ‘ve.dll’ as the filename as shown in Figure 9 below.** ----- **_Figure 9 Code enumerating ‘netsvcs’ services_** **_Figure 10 Renamed ‘rastls.dll’ DLL_** **The malware will then change the binary path of the service to point to this new filename and** **copies the “Sycmentec.config” file to the same folder and the ‘config.dat’ file to the following** **location:** **_c:\windows\system\CERTAPL.DLL_** **The NetTraveler payload relies on the ‘rastls.dll’ file to obtain its C2 server. At first glance, the** **NetTraveler payload appears as if it will use the following URL for its C2 server:** **_http://192.168.3[.]201/downloader2013/asp/downloader.asp_** **However, the NetTraveler payload reads the last ‘0xb0’ bytes from the rastls.dll file and uses it to** **create the “config.dat” file that is later saved to “CERTAPL.DLL”. This technique hides the true** **C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config** **files.** ----- **_Figure 11 Code snippet showing NetTraveler obtaining its configuration from rastls.dll._** **The configuration file is structured as an “.ini” file as the Trojan uses GetPrivateProfileStringA to** **parse the contents. The configuration file has the following contents:** **1** **2** **3** **4** **5** **6** **7** **[OOOOOO]** **U00P=r^?<80>}H>?<88><89><8A>B<8B><85>|<86><87><89><91><8B><90><92><88>** **K00P=XLMNOPQRSTUVWXYZ[\]^_`abcdefghiv** **P00D=5** **F00G=True** **MM1=0** **MM6=1** **Unit 42 analyzed the sample and found the following configuration fields that could appear in the** **CERTAPL.DLL configuration file and a brief description of each field:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **U00P = C2 URL** **K00P = Key for** **DES** **P00D = Sleep interval in** **minutes** **F00G = Boolean** **to** **determine if** **sample should use** **proxy to** **communicat** **MM1 = 0** **or** **1** **if** **proxy is** **configured or** **not.** **MM3 = Port for** **configured proxy** **MM4 = Username for** **configured proxy** **MM5 = Password for** **configured proxy** **MM6 = 1** **if** **Trojan is** **installed correctly** **The “U00P” and “K00P” values are decrypted using a simple algorithm that subtracts the index** **and then subtracts ten from each character, which is depicted in the following:** **1** **2** **3** **4** **5** **6** **7** **def subtraction_algo(ct):** **out = ""** **i = 0** **for** **e** **in** **ct:** **out += chr(ord(e)-i-10)** **i += 1** **return** **out** **These two fields decrypt to the following, the U00P value being the C2 URL and the K00P value** **being the basis for an encryption key for the DES algorithm:** **_U00P: http://www.voennovosti.com/optdet/index.asp (decrypted)_** **_K00P: NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM (decrypted)_** **The C2 server will respond to requests issued by the Trojan with commands to carry out** **activities on the compromised system. We analyzed the code within NetTraveler that handles** **commands issued by the C2 server and found four available commands that are listed in Table** **2.** **Command** **Description** ----- **:RUN_REBOOT** **:RUN_STARTUP** **:RUN_DIRECT** **%STARTUP%\consent.lnk and** **exits the process. This attempts to** **uninstall the Trojan, but will not** **work as the filenames are not** **used by this version of** **NetTraveler** **Reboots the system** **Downloads a file to** **%TEMP%\Temp.bmp and copies** **it to the startup folder** **Download a file to** **%TEMP%\tmp.bmp and execute it** **_Table 2 Commands available within NetTraveler and a description of their functionality_** **At the time of analysis, the domain voennovosti[.]com was resolving to IP ‘98.126.38[.]107’,** **[which is hosted by Krypt Technologies. A report published by Kaspersky Labs in 2011 on](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf)** **NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies. This web** **hosting service provider continues to be the hosting provider of choice for the threat actors** **behind NetTraveler.** **_Figure 12 DNS query for voennovosti[.]com resolves to ‘98.126.38.107’_** **_Figure 13 Encoded network communications_** **NetTraveler has been used to target diplomats, embassies and government institutions for over** **a decade, and remains the tool of choice by the adversaries behind these cyber espionage** **campaigns. The use of NetTraveler for such a long period of time shows its effectiveness and** **success by the adversaries in targeting their victims with impunity.** **As seen in this case, the threat actors continue to evolve and employ new techniques within** **their modus operandi, like ‘DLL side-loading’ to install malware. It is likely that the use of ‘DLL** **side loading’ attack technique will increase due to it’s effectiveness to bypass traditional security** **systems.** **It is essential to raise awareness on such attacks to better protect organizations from** **d** **i** **h** **b** **b** **k d b** **ti** **t t** ----- **SHA256 Hash** **File Name** **3f4fcde99775b83bc88d30ca99f5c70c1dd8b96d970dbfd5a846b46c6ea3e534** **2015.12.11_сроки** **СГГ 2015 в** **Уфе.doc.doc** **001fff6c09497f56532e83e998aaa80690a668883b6655129d408dd098bd1b4b** **DW20.exe** **74db11900499aa74be9e62d51889e7611eb8161cd141b9379e05eeca9d7175c9** **rastls.dll** **8f6af103bf7e3201045ce6c2af41f7a17ef671f33f297d36d2aab8640d00b0f0** **Sycmentec.config** **495bb9c680f114b255f92448e784563e4fd34ad19cf616cc537bec6245931b7e** **config.dat** **41650cb6b4ae9f06c92628208d024845026c19af1ab3916c99c80c6457bd4fa9** **CERTAPL.DLL** **3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757** **(NetTraveler DLL** **payload)** **Command and Control** **voennovosti[.]com** **98.126.38[.]107** **https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-** **compromise-high-profile-victims/** **https://www.fireeye.com/blog/threat-research/2014/04/dll-side-loading-another-blind-spot-for-** **anti-virus.html** **http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung-** **application-for-dll-side-loading/** **http://indianexpress.com/article/business/business-others/10-years-on-sco-decides-to-induct-** **india-as-full-member/** **[https://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation](https://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation)** **[http://ufa2015.com/](http://ufa2015.com/)** **June 4, 2016 9:58 PM** ## Automated Infrastructure Alerts - RiskIQ **June 4, 2016 9:58 PM** ## Automated Infrastructure Alerts - RiskIQ **August 2, 2016 6:40 AM** ## NetTraveler - La menace persistante avancée (APT) cible les intérêts russes et européens | UnderNews ### Name * Email * Website ----- **[Privacy Policy](https://www.paloaltonetworks.com/legal/privacy.html)** **[Legal Notices](https://www.paloaltonetworks.com/legal.html)** **[Site Index](https://www.paloaltonetworks.com/site-index.html)** **[Subscriptions](https://www.paloaltonetworks.com/company/subscriptions.html)** **Copyright © 2007-2013 Palo Alto Networks** -----