NetTraveler-т Монгол Улсын Батлан хамгаалах яам өртжээ
This report describes multiple cyber-espionage campaigns that have successfully compromised more than 350 high profile victims in 40 countries. The focus of the paper is to describe NetTraveler, which is the main tool used by the threat actors during these attacks.
The name “NetTraveler” comes from an internal string which is present in early versions of the malware: “NetTraveler Is Running!”. This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.
Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
The NetTraveler backdoor is often used together with other malware families. During the analysis of one of the command and control (C&C)servers, we observed how the attackers deployed different backdoors to the victims’ machines. These include the malware known as “Saker” also known as “Xbox” (known filenames:“update.exe”, “updata.exe” or “xbox.exe”) and “PCR at” / ”Zegost”. This report includes a full description of the “Saker/Xbox” backdoor as well.
The attacks use spear-phishing e-mails with malicious Microsoft Office documents as attachments. Gathered data includes file system listings, keylogs, various types of documents (.doc,.xls, .ppt, .pdf, etc…) and other private information. We have calculated the amount of stolen data stored on C&C servers to be 22+ gigabytes. However this data represents only a small fraction which we managed to see – the rest of the it had been previously downloaded and deleted from the C&C servers by the attackers.
Тайлангийн 9-р хуудаснаас дэлгэрэнгүйг үзнэ үү