Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.
Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.
The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.File name "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc" MD5 b2385963d3afece16bd7478b4cf290ce Size 381,667 bytes
The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese.
It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.
If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).Name WINDOWSUPDATANEY.DLL MD5 c13c79ad874215cfec8d318468e3d116 Size 37,888 bytes
It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):
To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include:
- Boat-12 Is Running!
- DocHunter2012 Is Running!
- Hunter-2012 Is Running!
- NT-2012 Is Running!
- NetTravler Is Running!
- NetTravler2012 Is Running!
- SH-2011 Is Running!
- ShengHai Is Running!
- SD2013 is Running!
The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples:
For the record, here's what an older NetTraveler config file looks like:
Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break.
The algorithm is as follows:
decrypted[i]=encrypted[i] - (i + 0xa);
Once decrypted, the new config looks like this:
One can easily see the command-and-control (C&C) server in the screenshot above, which is "uyghurinfo[.]com".
We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:C&C server IP IP location Registrar ssdcru[.]com 18.104.22.168 Hong Kong, Albert Heng, Trillion Company SHANGHAI MEICHENG TECHNOLOGY uygurinfo[.]com 22.214.171.124 United States, Los Angeles, Integen Inc TODAYNIC.COM
INC. samedone[.]com 126.96.36.199 Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp Datacenter SHANGHAI MEICHENG TECHNOLOGY gobackto[.]net 188.8.131.52 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY worksware[.]net N/A N/A SHANGHAI MEICHENG TECHNOLOGY jojomic[.]com was
184.108.40.206 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY angellost[.]net was 220.127.116.11 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY husden[.]com was 18.104.22.168 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY
We recommend blocking all these hosts in your firewall.Conclusion
This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.
For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.
NetTraveler victims by industry
Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.
The end of each summer always gets me excited, because one of my favorite events is taking place: the Internet Law Summer School organized by ELSA - The European Law Students' Association. This summer school is the perfect opportunity to meet young, smart and talented law students and discuss privacy, security or internet threats with them.
These students will become the lawyers, prosecutors and judges of tomorrow - so it's very important for them to get them in touch with the real world problems of fighting cyber-crime and ensuring the security and privacy of personal data.
Fighting cyber-crime through all means possible has always been our mission here at Kaspersky Lab. But we can't do this alone. Sure, our products and technologies are protecting hundreds of millions of users worldwide, but stopping cyber-crime is something we can not do just by ourselves.
Cyber-crime is a huge problem worldwide and it is always very frustrating to see that those persons responsible for cyber-attacks very rarely have to face the consequences of their actions. In the last 24 hours, we've discovered more than 300.000 new viruses, trojans and worms. How many cyber-criminals have received prison sentences in the same 24 hours period?
The reason why cyber-criminals usually get away with their crimes is that both law enforcement and judicial systems around the world are having a hard time trying to keep up with the evolution of technology, or threats on the internet specifically. This is why it's so important to train law enforcement officers. This is why it's so important to train judges and prosecutors. At the end of the day, they are the ones actually fighting cyber-crime by sending cyber-criminals to jail.
This year, the main focus of the summer school was on freedom of media and private life. I focused on the privacy and security side, of course - with a workshop titled "Private life in cyberspace - securing your personal data online".
My main message? Trust and use encryption in order to thwart prying eyes - but don't forget that no matter how good the encryption you're using is, an insecure operating system will always offer the attacker the chance of accessing your data before it gets encrypted. You can't have privacy without first having good security.