NetTraveler (Malware Family)

NetTraveler

aka: TravNet

There is no description at this point.

References

2020-11-27 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Dissecting APT21 samples using a step-by-step approach
NetTraveler

2016-07-07 ⋅ Proofpoint ⋅ Axel F
NetTraveler APT Targets Russian, European Interests
NetTraveler NetTraveler

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_nettraveler_auto (20210616 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 57 8d85f4fdffff 6804010000 50 ff15???????? 8b35???????? } // n = 7, score = 100 // 56 \| push esi // 57 \| push edi // 8d85f4fdffff \| lea eax, dword ptr [ebp - 0x20c] // 6804010000 \| push 0x104 // 50 \| push eax // ff15???????? \| // 8b35???????? \| $sequence_1 = { ff75fc e8???????? 83c40c 8945f8 eb0d 53 68???????? } // n = 7, score = 100 // ff75fc \| push dword ptr [ebp - 4] // e8???????? \| // 83c40c \| add esp, 0xc // 8945f8 \| mov dword ptr [ebp - 8], eax // eb0d \| jmp 0xf // 53 \| push ebx // 68???????? \| $sequence_2 = { 50 ffd6 8d45f8 50 8d85ccfeffff 50 } // n = 6, score = 100 // 50 \| push eax // ffd6 \| call esi // 8d45f8 \| lea eax, dword ptr [ebp - 8] // 50 \| push eax // 8d85ccfeffff \| lea eax, dword ptr [ebp - 0x134] // 50 \| push eax $sequence_3 = { 03f7 ff4d0c 75ba 66837d1801 7558 837dfc00 7e52 } // n = 7, score = 100 // 03f7 \| add esi, edi // ff4d0c \| dec dword ptr [ebp + 0xc] // 75ba \| jne 0xffffffbc // 66837d1801 \| cmp word ptr [ebp + 0x18], 1 // 7558 \| jne 0x5a // 837dfc00 \| cmp dword ptr [ebp - 4], 0 // 7e52 \| jle 0x54 $sequence_4 = { ff742414 ffd3 59 85c0 59 752c 55 } // n = 7, score = 100 // ff742414 \| push dword ptr [esp + 0x14] // ffd3 \| call ebx // 59 \| pop ecx // 85c0 \| test eax, eax // 59 \| pop ecx // 752c \| jne 0x2e // 55 \| push ebp $sequence_5 = { 7522 e8???????? 393d???????? 7410 e8???????? 85c0 7507 } // n = 7, score = 100 // 7522 \| jne 0x24 // e8???????? \| // 393d???????? \| // 7410 \| je 0x12 // e8???????? \| // 85c0 \| test eax, eax // 7507 \| jne 9 $sequence_6 = { 8d45b8 6a10 50 68???????? e8???????? 83c418 ff75f4 } // n = 7, score = 100 // 8d45b8 \| lea eax, dword ptr [ebp - 0x48] // 6a10 \| push 0x10 // 50 \| push eax // 68???????? \| // e8???????? \| // 83c418 \| add esp, 0x18 // ff75f4 \| push dword ptr [ebp - 0xc] $sequence_7 = { 68???????? 57 ffd6 5f 5e 5b c3 } // n = 7, score = 100 // 68???????? \| // 57 \| push edi // ffd6 \| call esi // 5f \| pop edi // 5e \| pop esi // 5b \| pop ebx // c3 \| ret $sequence_8 = { 3bdf 7d02 8bfb 8b4508 57 ff7514 } // n = 6, score = 100 // 3bdf \| cmp ebx, edi // 7d02 \| jge 4 // 8bfb \| mov edi, ebx // 8b4508 \| mov eax, dword ptr [ebp + 8] // 57 \| push edi // ff7514 \| push dword ptr [ebp + 0x14] $sequence_9 = { 8945f8 0f8223ffffff eb28 8d858cf7ffff 50 ff750c } // n = 6, score = 100 // 8945f8 \| mov dword ptr [ebp - 8], eax // 0f8223ffffff \| jb 0xffffff29 // eb28 \| jmp 0x2a // 8d858cf7ffff \| lea eax, dword ptr [ebp - 0x874] // 50 \| push eax // ff750c \| push dword ptr [ebp + 0xc] condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

Download all Yara Rules

[TLP:WHITE] win_nettraveler_auto (20210616 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 57 8d85f4fdffff 6804010000 50 ff15???????? 8b35???????? } // n = 7, score = 100 // 56 \| push esi // 57 \| push edi // 8d85f4fdffff \| lea eax, dword ptr [ebp - 0x20c] // 6804010000 \| push 0x104 // 50 \| push eax // ff15???????? \| // 8b35???????? \| $sequence_1 = { ff75fc e8???????? 83c40c 8945f8 eb0d 53 68???????? } // n = 7, score = 100 // ff75fc \| push dword ptr [ebp - 4] // e8???????? \| // 83c40c \| add esp, 0xc // 8945f8 \| mov dword ptr [ebp - 8], eax // eb0d \| jmp 0xf // 53 \| push ebx // 68???????? \| $sequence_2 = { 50 ffd6 8d45f8 50 8d85ccfeffff 50 } // n = 6, score = 100 // 50 \| push eax // ffd6 \| call esi // 8d45f8 \| lea eax, dword ptr [ebp - 8] // 50 \| push eax // 8d85ccfeffff \| lea eax, dword ptr [ebp - 0x134] // 50 \| push eax $sequence_3 = { 03f7 ff4d0c 75ba 66837d1801 7558 837dfc00 7e52 } // n = 7, score = 100 // 03f7 \| add esi, edi // ff4d0c \| dec dword ptr [ebp + 0xc] // 75ba \| jne 0xffffffbc // 66837d1801 \| cmp word ptr [ebp + 0x18], 1 // 7558 \| jne 0x5a // 837dfc00 \| cmp dword ptr [ebp - 4], 0 // 7e52 \| jle 0x54 $sequence_4 = { ff742414 ffd3 59 85c0 59 752c 55 } // n = 7, score = 100 // ff742414 \| push dword ptr [esp + 0x14] // ffd3 \| call ebx // 59 \| pop ecx // 85c0 \| test eax, eax // 59 \| pop ecx // 752c \| jne 0x2e // 55 \| push ebp $sequence_5 = { 7522 e8???????? 393d???????? 7410 e8???????? 85c0 7507 } // n = 7, score = 100 // 7522 \| jne 0x24 // e8???????? \| // 393d???????? \| // 7410 \| je 0x12 // e8???????? \| // 85c0 \| test eax, eax // 7507 \| jne 9 $sequence_6 = { 8d45b8 6a10 50 68???????? e8???????? 83c418 ff75f4 } // n = 7, score = 100 // 8d45b8 \| lea eax, dword ptr [ebp - 0x48] // 6a10 \| push 0x10 // 50 \| push eax // 68???????? \| // e8???????? \| // 83c418 \| add esp, 0x18 // ff75f4 \| push dword ptr [ebp - 0xc] $sequence_7 = { 68???????? 57 ffd6 5f 5e 5b c3 } // n = 7, score = 100 // 68???????? \| // 57 \| push edi // ffd6 \| call esi // 5f \| pop edi // 5e \| pop esi // 5b \| pop ebx // c3 \| ret $sequence_8 = { 3bdf 7d02 8bfb 8b4508 57 ff7514 } // n = 6, score = 100 // 3bdf \| cmp ebx, edi // 7d02 \| jge 4 // 8bfb \| mov edi, ebx // 8b4508 \| mov eax, dword ptr [ebp + 8] // 57 \| push edi // ff7514 \| push dword ptr [ebp + 0x14] $sequence_9 = { 8945f8 0f8223ffffff eb28 8d858cf7ffff 50 ff750c } // n = 6, score = 100 // 8945f8 \| mov dword ptr [ebp - 8], eax // 0f8223ffffff \| jb 0xffffff29 // eb28 \| jmp 0x2a // 8d858cf7ffff \| lea eax, dword ptr [ebp - 0x874] // 50 \| push eax // ff750c \| push dword ptr [ebp + 0xc] condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

NetTraveler Propose Change

References

Yara Rules

NetTraveler