NetTraveler (Malware Family)

NetTraveler

aka: TravNet

Actor(s): NetTraveler

There is no description at this point.

References

2020-11-27 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Dissecting APT21 samples using a step-by-step approach
NetTraveler

2017-08-25 ⋅ Kaspersky Labs ⋅ Juan Andrés Guerrero-Saade, Costin Raiu
Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell
NetTraveler RCS WannaCryptor Dancing Salome

2016-07-07 ⋅ Proofpoint ⋅ Axel F
NetTraveler APT Targets Russian, European Interests
NetTraveler APT21

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_nettraveler_auto (20230715 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { c745f400040000 50 8d85dcf7ffff 50 } // n = 4, score = 100 // c745f400040000 \| mov dword ptr [ebp - 0xc], 0x400 // 50 \| push eax // 8d85dcf7ffff \| lea eax, [ebp - 0x824] // 50 \| push eax $sequence_1 = { ff75f4 ff75fc 50 ff15???????? ff75f0 ff15???????? 8d85b4feffff } // n = 7, score = 100 // ff75f4 \| push dword ptr [ebp - 0xc] // ff75fc \| push dword ptr [ebp - 4] // 50 \| push eax // ff15???????? \| // ff75f0 \| push dword ptr [ebp - 0x10] // ff15???????? \| // 8d85b4feffff \| lea eax, [ebp - 0x14c] $sequence_2 = { e8???????? 83c41c ff750c ff7508 56 e8???????? } // n = 6, score = 100 // e8???????? \| // 83c41c \| add esp, 0x1c // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] // 56 \| push esi // e8???????? \| $sequence_3 = { ff15???????? 8b1d???????? 50 ffd3 68???????? 68???????? 8d85ccfeffff } // n = 7, score = 100 // ff15???????? \| // 8b1d???????? \| // 50 \| push eax // ffd3 \| call ebx // 68???????? \| // 68???????? \| // 8d85ccfeffff \| lea eax, [ebp - 0x134] $sequence_4 = { a801 745a 8ac1 c645cd3a 0441 c645ce5c 8845cc } // n = 7, score = 100 // a801 \| test al, 1 // 745a \| je 0x5c // 8ac1 \| mov al, cl // c645cd3a \| mov byte ptr [ebp - 0x33], 0x3a // 0441 \| add al, 0x41 // c645ce5c \| mov byte ptr [ebp - 0x32], 0x5c // 8845cc \| mov byte ptr [ebp - 0x34], al $sequence_5 = { 81e1ff000000 8933 8b32 c1e608 0bf1 } // n = 5, score = 100 // 81e1ff000000 \| and ecx, 0xff // 8933 \| mov dword ptr [ebx], esi // 8b32 \| mov esi, dword ptr [edx] // c1e608 \| shl esi, 8 // 0bf1 \| or esi, ecx $sequence_6 = { 50 ff75fc ff750c ff7508 e8???????? 83c428 395dfc } // n = 7, score = 100 // 50 \| push eax // ff75fc \| push dword ptr [ebp - 4] // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] // e8???????? \| // 83c428 \| add esp, 0x28 // 395dfc \| cmp dword ptr [ebp - 4], ebx $sequence_7 = { ff75e4 ff15???????? 8d850cf2ffff 56 50 e8???????? } // n = 6, score = 100 // ff75e4 \| push dword ptr [ebp - 0x1c] // ff15???????? \| // 8d850cf2ffff \| lea eax, [ebp - 0xdf4] // 56 \| push esi // 50 \| push eax // e8???????? \| $sequence_8 = { 80e201 88140f 41 3bce 7ce6 eb78 8d0c40 } // n = 7, score = 100 // 80e201 \| and dl, 1 // 88140f \| mov byte ptr [edi + ecx], dl // 41 \| inc ecx // 3bce \| cmp ecx, esi // 7ce6 \| jl 0xffffffe8 // eb78 \| jmp 0x7a // 8d0c40 \| lea ecx, [eax + eax2] $sequence_9 = { 50 ff15???????? 6810270000 ff15???????? 6a00 ff15???????? 5f } // n = 7, score = 100 // 50 \| push eax // ff15???????? \| // 6810270000 \| push 0x2710 // ff15???????? \| // 6a00 \| push 0 // ff15???????? \| // 5f \| pop edi condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

Download all Yara Rules

[TLP:WHITE] win_nettraveler_auto (20230715 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { c745f400040000 50 8d85dcf7ffff 50 } // n = 4, score = 100 // c745f400040000 \| mov dword ptr [ebp - 0xc], 0x400 // 50 \| push eax // 8d85dcf7ffff \| lea eax, [ebp - 0x824] // 50 \| push eax $sequence_1 = { ff75f4 ff75fc 50 ff15???????? ff75f0 ff15???????? 8d85b4feffff } // n = 7, score = 100 // ff75f4 \| push dword ptr [ebp - 0xc] // ff75fc \| push dword ptr [ebp - 4] // 50 \| push eax // ff15???????? \| // ff75f0 \| push dword ptr [ebp - 0x10] // ff15???????? \| // 8d85b4feffff \| lea eax, [ebp - 0x14c] $sequence_2 = { e8???????? 83c41c ff750c ff7508 56 e8???????? } // n = 6, score = 100 // e8???????? \| // 83c41c \| add esp, 0x1c // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] // 56 \| push esi // e8???????? \| $sequence_3 = { ff15???????? 8b1d???????? 50 ffd3 68???????? 68???????? 8d85ccfeffff } // n = 7, score = 100 // ff15???????? \| // 8b1d???????? \| // 50 \| push eax // ffd3 \| call ebx // 68???????? \| // 68???????? \| // 8d85ccfeffff \| lea eax, [ebp - 0x134] $sequence_4 = { a801 745a 8ac1 c645cd3a 0441 c645ce5c 8845cc } // n = 7, score = 100 // a801 \| test al, 1 // 745a \| je 0x5c // 8ac1 \| mov al, cl // c645cd3a \| mov byte ptr [ebp - 0x33], 0x3a // 0441 \| add al, 0x41 // c645ce5c \| mov byte ptr [ebp - 0x32], 0x5c // 8845cc \| mov byte ptr [ebp - 0x34], al $sequence_5 = { 81e1ff000000 8933 8b32 c1e608 0bf1 } // n = 5, score = 100 // 81e1ff000000 \| and ecx, 0xff // 8933 \| mov dword ptr [ebx], esi // 8b32 \| mov esi, dword ptr [edx] // c1e608 \| shl esi, 8 // 0bf1 \| or esi, ecx $sequence_6 = { 50 ff75fc ff750c ff7508 e8???????? 83c428 395dfc } // n = 7, score = 100 // 50 \| push eax // ff75fc \| push dword ptr [ebp - 4] // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] // e8???????? \| // 83c428 \| add esp, 0x28 // 395dfc \| cmp dword ptr [ebp - 4], ebx $sequence_7 = { ff75e4 ff15???????? 8d850cf2ffff 56 50 e8???????? } // n = 6, score = 100 // ff75e4 \| push dword ptr [ebp - 0x1c] // ff15???????? \| // 8d850cf2ffff \| lea eax, [ebp - 0xdf4] // 56 \| push esi // 50 \| push eax // e8???????? \| $sequence_8 = { 80e201 88140f 41 3bce 7ce6 eb78 8d0c40 } // n = 7, score = 100 // 80e201 \| and dl, 1 // 88140f \| mov byte ptr [edi + ecx], dl // 41 \| inc ecx // 3bce \| cmp ecx, esi // 7ce6 \| jl 0xffffffe8 // eb78 \| jmp 0x7a // 8d0c40 \| lea ecx, [eax + eax2] $sequence_9 = { 50 ff15???????? 6810270000 ff15???????? 6a00 ff15???????? 5f } // n = 7, score = 100 // 50 \| push eax // ff15???????? \| // 6810270000 \| push 0x2710 // ff15???????? \| // 6a00 \| push 0 // ff15???????? \| // 5f \| pop edi condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

NetTraveler Propose Change

References

Yara Rules

NetTraveler