NetTraveler, cyber-espionage campaign

Kaspersky recently released a paper on a cyber-espionage campaign that used NetTraveler, a malicious program used for covert computer surveillance.

The document is an interesting read. Below is a summary of some of the attack vectors used with this malware. You can use this information to detect the presence of the NetTraveler malware.

Nettraveler uses a couple of C&C scripts

aasogspread.asp, adfsdfclnggsldfc.asp, advertisingservicesa3sb.asp, aneywsf. asp, apple.asp, applebag005.asp, azarweforrell.asp, azofjeljgo648rl.asp, certify.asp, dochunter.asp, dochunter1.asp, dochunteradfaefaer.asp, fish.asp, happy. asp, heritage.asp, huyuio67.asp, little.asp, madmaswhbe.asp, nethttpfile.asp, netpass. asp, nettraveler.asp, orphaned.asp, rice.asp, sabcfsf.asp, shenghai.asp, time.asp, update. asp, weathobloe.asp, yegnfvhemc.asp

Two of the C&C domains are sinkholed, and by Kaspersky. The other domains listed in the report were used by the malware as a command and control.,,,,,,,,,,,,,,,,,,,,, lab,,,,,,,,,,,,,,,,, lab,

Files marked to be uploaded are put in a directory %Temp%\ ntvba00.tmp\.

The saKer’ (‘xbox’) bacKdoor (droPPed file) uses a specific user agent string.

GET /301000000000F0FD...0000000000000000000 000000 HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win- dows NT 5.0; .NET CLR 1.1.4322)

Cache-Control: no-cache

Leave a Reply

Your email address will not be published. Required fields are marked *