# NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan

**[unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/](https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/)**

Vicky Ray, Robert Falcone January 21, 2016

By [Vicky Ray and](https://unit42.paloaltonetworks.com/author/vicky-khan/) [Robert Falcone](https://unit42.paloaltonetworks.com/author/robertfalcone/)

January 21, 2016 at 8:45 AM

[Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Threat Prevention,](https://unit42.paloaltonetworks.com/category/threat-prevention-2/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit42/)

Tags: [AutoFocus,](https://unit42.paloaltonetworks.com/tag/autofocus/) [NetTraveler,](https://unit42.paloaltonetworks.com/tag/nettraveler/) [spearphishing,](https://unit42.paloaltonetworks.com/tag/spearphishing/) [Trojan,](https://unit42.paloaltonetworks.com/tag/trojan/) [Ufa,](https://unit42.paloaltonetworks.com/tag/ufa/) [Ufe,](https://unit42.paloaltonetworks.com/tag/ufe/) [Uzbekistan,](https://unit42.paloaltonetworks.com/tag/uzbekistan/) [WildFire](https://unit42.paloaltonetworks.com/tag/wildfire/)

Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China. A spear-phishing
email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in Beijing, China. In this report, we’ll review how the actors
attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan.

On December 12, 2015, a spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan. The body and subject of the email
suggests that the email was spoofed to look like it was sent by the Russian Foreign Ministry and the attachment may contain an official annual
[report on CHS (Council of Heads of Member States), who form the SCO (Shanghai Cooperation Organization).](https://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation)

_Filename: “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” (translated to: “2015.12.11_sroki CHS in 2015 Ufe.doc.doc”)_

_Body: “С уважением, ДАТС МИД России” (translated to: “Yours faithfully, ACSD Russian Foreign Ministry”)_

[It is interesting to note the reference of Ufa in the file name, as the city of Ufa in Russia hosted the SCO BRICS Summit on July 9 and 10,](http://ufa2015.com/)
2015. SCO and BRICS (Brazil, Russia, India, China and South Africa) are intergovernmental international organizations focused on issues of
regional security and economic cooperation.

_Figure 1 Leaders of member nations at the 2015 Summit in Ufa_

## TARGETING AND MALWARE ANALYSIS

Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan.


-----

_gu e_ _a co ta_ _g t e_ _a c ous attac_ _e t_

The malicious attachment “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” is a malicious document created by the MNKit toolkit and exploits
CVE-2012-0158.

[Upon successful exploitation, the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique. The](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf)
[NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf)
continues to be used to target its victims and exfiltrate data.

The DLL side-loading attack technique has been gaining adoption within the cyber espionage realm by threat actors to bypass traditional
[security systems. Unit 42 also published a blog last year discussing an unrelated attack where the DLL side-loading technique was used.](https://blog.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung-application-for-dll-side-loading/)

Figure 3 illustrates the exploitation and the infection flow of the malware.

_Figure 3 Overview of the infection flow_

The document “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” exploits CVE-2012-0158 to drop a decoy file “~$.doc” and the actual payload
“DW20.exe”. The decoy is a blank document with the meta data stripped.

The payload (DW20.exe) is a self-extracting (SFX) RAR archive that contains the following files:

_RasTls.exe_
_rastls.dll_
_Sycmentec.config_


-----

_Figure 4 The payload(DW20.exe) is a SFX RAR archive_

The SFX RAR uses the following configuration to launch the embedded executable, which is a legitimate application created by Symantec that
will side load the rastls.dll DLL:

_Setup=RasTls.exe_
_TempMode_
_Silent=1_
_Overwrite=1_

The figure below shows that the config file, ‘Sycmentec.config’ is encrypted.

The ‘Sycmentec.config’ file can be decrypted using a single byte XOR algorithm using ‘0x77’ as a key.

_Figure 5 Encrypted ‘Sycmentec.config’file_

The ‘rastls.dll’ DLL will load and decrypt this file. The decrypted data starts with shellcode that is responsible for loading an embedded DLL and
executing it.

Figure 6 shows the decrypted ‘Sycmentec.config’file containing an embedded DLL.


-----

_Figure 6 Decrypted ‘Sycmentec.config’ file contains an embedded DLL_

The embedded DLL is the functional payload, which is a variant of the NetTraveler Trojan that has the following attributes:

**Size** 52736 bytes

**Type** PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

**Architecture** 32 Bits binary

**MD5** 3e3df4fe831d87d7f52f14933e464fc3

**SHA1** cce65a0b67674a313091a947506ceb91d30605ad

**SHA256** 3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757

**ssdeep** 1536:jxKW1S8mWKFU7U9lYjhjXwVqTvS/G405:wCBmUw9lAhLWqW/G40

**imphash** 85ce31f87f06b02fec915d33d82958e8

**Date** 0x564B2B07 [Tue Nov 17 13:26:31 2015 UTC]

**CRC:(Claimed)** 0x0, (Actual): 0x19be0 [SUSPICIOUS]

**Packers** Armadillo v1.xx - v2.xx

**Entry Point** 0x1000970b .text 1/5

_Table 1 Attributes of the embedded DLL (NetTraveler)_

The first execution of this NetTraveler Trojan starts off with an installation process. Like previous versions, this NetTraveler sample writes its
configuration to a file, in this case the configuration is written to a file named "config.dat".

_Figure 7 NetTraveler writes the configuration to ‘config.dat’ file_

During execution, NetTraveler creates a mutex of ‘YOYWOW!657’, as shown in Figure 8 below to avoid running multiple instances of its code.


-----

_Figure 8 Mutex created for this NetTraveler payload_

The code then enumerates the 'netsvcs' services, which are services that run within the process space of svchost.exe, specifically ignoring
services named ‘6to4’ and ‘Ias’ as these services have been used by other malware families.

When it finds another netsvcs service with a name not matching these two names, it will delete the file associated with the service and copy
the ‘rastls.dll’ file to that folder using ‘<service name>ve.dll’ as the filename as shown in Figure 9 below.

_Figure 9 Code enumerating ‘netsvcs’ services_


-----

_Figure 10 Renamed ‘rastls.dll’ DLL_

The malware will then change the binary path of the service to point to this new filename and copies the "Sycmentec.config" file to the same
folder and the ‘config.dat’ file to the following location:

_c:\windows\system\CERTAPL.DLL_

The NetTraveler payload relies on the ‘rastls.dll’ file to obtain its C2 server. At first glance, the NetTraveler payload appears as if it will use the
following URL for its C2 server:

_http://192.168.3[.]201/downloader2013/asp/downloader.asp_

However, the NetTraveler payload reads the last ‘0xb0’ bytes from the rastls.dll file and uses it to create the "config.dat" file that is later saved
to "CERTAPL.DLL". This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and
Sycmentec.config files.

_Figure 11 Code snippet showing NetTraveler obtaining its configuration from rastls.dll._


-----

e co gu at o e s st uctu ed as a e as t e oja uses Get ate o eSt g to pa se t e co te ts e co gu at o e as
the following contents:


1
2
3
4
5
6
7



[OOOOOO]
U00P=r^?<80>}H>?<88><89><8A>B<8B><85>|<86><87><89><91><8B><90><92><88>N<84><91><90>S<94><96><9B><8C><8E><9E>Z
K00P=XLMNOPQRSTUVWXYZ[\]^_`abcdefghiv
P00D=5
F00G=True
MM1=0
MM6=1


Unit 42 analyzed the sample and found the following configuration fields that could appear in the CERTAPL.DLL configuration file and a brief
description of each field:


1
2
3
4
5
6
7
8
9


U00P = C2 URL
K00P = Key for DES
P00D = Sleep interval in minutes
F00G = Boolean to determine if sample should use proxy to communicate with C2 server
MM1 = 0 or 1 if proxy is configured or not.
MM3 = Port for configured proxy
MM4 = Username for configured proxy
MM5 = Password for configured proxy
MM6 = 1 if Trojan is installed correctly


The "U00P" and "K00P" values are decrypted using a simple algorithm that subtracts the index and then subtracts ten from each character,
which is depicted in the following:


1
2
3
4
5
6
7


def subtraction_algo(ct):
out = ""
i = 0
for e in ct:
out += chr(ord(e)-i-10)
i += 1
return out


These two fields decrypt to the following, the U00P value being the C2 URL and the K00P value being the basis for an encryption key for the
DES algorithm:

_U00P: http://www.voennovosti.com/optdet/index.asp (decrypted)_

_K00P: NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM (decrypted)_

The C2 server will respond to requests issued by the Trojan with commands to carry out activities on the compromised system. We analyzed
the code within NetTraveler that handles commands issued by the C2 server and found four available commands that are listed in Table 2.

**Command** **Description**


<Unique System
ID>:UNINSTALL

<Unique System
ID>:RUN_REBOOT

<Unique System
ID>:RUN_STARTUP

<Unique System
ID>:RUN_DIRECT


Deletes %APPDATA%\cert2013.dat and %STARTUP%\consent.lnk and exits the process. This attempts to uninstall
the Trojan, but will not work as the filenames are not used by this version of NetTraveler

Reboots the system

Downloads a file to %TEMP%\Temp.bmp and copies it to the startup folder

Download a file to %TEMP%\tmp.bmp and execute it


_Table 2 Commands available within NetTraveler and a description of their functionality_

## INFRASTRUCTURE

[At the time of analysis, the domain voennovosti[.]com was resolving to IP ‘98.126.38[.]107’, which is hosted by Krypt Technologies. A report](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf)
published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies. This web hosting
service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler.


-----

_Figure 12 DNS query for voennovosti[.]com resolves to ‘98.126.38.107’_

_Figure 13 Encoded network communications_

## CONCLUSION

NetTraveler has been used to target diplomats, embassies and government institutions for over a decade, and remains the tool of choice by
the adversaries behind these cyber espionage campaigns. The use of NetTraveler for such a long period of time shows its effectiveness and
success by the adversaries in targeting their victims with impunity.

As seen in this case, the threat actors continue to evolve and employ new techniques within their modus operandi, like ‘DLL side-loading’ to
install malware. It is likely that the use of ‘DLL side loading’ attack technique will increase due to it’s effectiveness to bypass traditional security
systems.

It is essential to raise awareness on such attacks to better protect organizations from adversaries who maybe backed by nation states.

[WildFire correctly classifies NetTraveler as malicious. AutoFocus tags are created to identify NetTraveler samples and respective IOCs are](https://www.paloaltonetworks.com/products/technologies/wildfire.html)
[added to Palo Alto Networks Threat Prevention.](https://paloaltonetworks.com/solutions/initiative/threat-prevention.html)

## INDICATORS

**SHA256 Hash** **File Name**

3f4fcde99775b83bc88d30ca99f5c70c1dd8b96d970dbfd5a846b46c6ea3e534 2015.12.11_сроки СГГ 2015 в Уфе.doc.doc

001fff6c09497f56532e83e998aaa80690a668883b6655129d408dd098bd1b4b DW20.exe

74db11900499aa74be9e62d51889e7611eb8161cd141b9379e05eeca9d7175c9 rastls.dll

8f6af103bf7e3201045ce6c2af41f7a17ef671f33f297d36d2aab8640d00b0f0 Sycmentec.config

495bb9c680f114b255f92448e784563e4fd34ad19cf616cc537bec6245931b7e config.dat

41650cb6b4ae9f06c92628208d024845026c19af1ab3916c99c80c6457bd4fa9 CERTAPL.DLL

3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757 (NetTraveler DLL payload)

**Command and Control**


-----

oe o ost [ ]co
98.126.38[.]107

## REFERENCES

**Get updates from**

**Palo Alto**

**Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use)


-----