NetTraveler (Malware Family)

NetTraveler

aka: TravNet

There is no description at this point.

References

2020-11-27 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Dissecting APT21 samples using a step-by-step approach
NetTraveler

2016-07-07 ⋅ Proofpoint ⋅ Axel F
NetTraveler APT Targets Russian, European Interests
NetTraveler NetTraveler

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_nettraveler_auto (20220516 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d45b8 50 8d45c0 50 8d8510ffffff 50 8d45cc } // n = 7, score = 100 // 8d45b8 \| lea eax, [ebp - 0x48] // 50 \| push eax // 8d45c0 \| lea eax, [ebp - 0x40] // 50 \| push eax // 8d8510ffffff \| lea eax, [ebp - 0xf0] // 50 \| push eax // 8d45cc \| lea eax, [ebp - 0x34] $sequence_1 = { 50 ff15???????? 3bc3 8945f4 0f847a020000 391d???????? } // n = 6, score = 100 // 50 \| push eax // ff15???????? \| // 3bc3 \| cmp eax, ebx // 8945f4 \| mov dword ptr [ebp - 0xc], eax // 0f847a020000 \| je 0x280 // 391d???????? \| $sequence_2 = { 33d8 33d9 035df0 8d9c1ff87ca21f 8bfb } // n = 5, score = 100 // 33d8 \| xor ebx, eax // 33d9 \| xor ebx, ecx // 035df0 \| add ebx, dword ptr [ebp - 0x10] // 8d9c1ff87ca21f \| lea ebx, [edi + ebx + 0x1fa27cf8] // 8bfb \| mov edi, ebx $sequence_3 = { ffd6 50 ff15???????? 895dfc ff7508 ff15???????? ff75ec } // n = 7, score = 100 // ffd6 \| call esi // 50 \| push eax // ff15???????? \| // 895dfc \| mov dword ptr [ebp - 4], ebx // ff7508 \| push dword ptr [ebp + 8] // ff15???????? \| // ff75ec \| push dword ptr [ebp - 0x14] $sequence_4 = { e8???????? 8d45e4 57 50 8d45f0 50 e8???????? } // n = 7, score = 100 // e8???????? \| // 8d45e4 \| lea eax, [ebp - 0x1c] // 57 \| push edi // 50 \| push eax // 8d45f0 \| lea eax, [ebp - 0x10] // 50 \| push eax // e8???????? \| $sequence_5 = { 8b37 83c704 33f0 897d0c 8bfe } // n = 5, score = 100 // 8b37 \| mov esi, dword ptr [edi] // 83c704 \| add edi, 4 // 33f0 \| xor esi, eax // 897d0c \| mov dword ptr [ebp + 0xc], edi // 8bfe \| mov edi, esi $sequence_6 = { 0f8678020000 8b45e8 40 8945fc } // n = 4, score = 100 // 0f8678020000 \| jbe 0x27e // 8b45e8 \| mov eax, dword ptr [ebp - 0x18] // 40 \| inc eax // 8945fc \| mov dword ptr [ebp - 4], eax $sequence_7 = { eb0b 6a03 eb06 6a02 eb02 6a01 } // n = 6, score = 100 // eb0b \| jmp 0xd // 6a03 \| push 3 // eb06 \| jmp 8 // 6a02 \| push 2 // eb02 \| jmp 4 // 6a01 \| push 1 $sequence_8 = { ba???????? 0fb69f4c910010 8d8764910010 807c1dc400 7404 8b1a 091e } // n = 7, score = 100 // ba???????? \| // 0fb69f4c910010 \| movzx ebx, byte ptr [edi + 0x1000914c] // 8d8764910010 \| lea eax, [edi + 0x10009164] // 807c1dc400 \| cmp byte ptr [ebp + ebx - 0x3c], 0 // 7404 \| je 6 // 8b1a \| mov ebx, dword ptr [edx] // 091e \| or dword ptr [esi], ebx $sequence_9 = { 8945ec 85c0 750b ff45fc 837dfc03 7d34 ebd5 } // n = 7, score = 100 // 8945ec \| mov dword ptr [ebp - 0x14], eax // 85c0 \| test eax, eax // 750b \| jne 0xd // ff45fc \| inc dword ptr [ebp - 4] // 837dfc03 \| cmp dword ptr [ebp - 4], 3 // 7d34 \| jge 0x36 // ebd5 \| jmp 0xffffffd7 condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

Download all Yara Rules

[TLP:WHITE] win_nettraveler_auto (20220516 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d45b8 50 8d45c0 50 8d8510ffffff 50 8d45cc } // n = 7, score = 100 // 8d45b8 \| lea eax, [ebp - 0x48] // 50 \| push eax // 8d45c0 \| lea eax, [ebp - 0x40] // 50 \| push eax // 8d8510ffffff \| lea eax, [ebp - 0xf0] // 50 \| push eax // 8d45cc \| lea eax, [ebp - 0x34] $sequence_1 = { 50 ff15???????? 3bc3 8945f4 0f847a020000 391d???????? } // n = 6, score = 100 // 50 \| push eax // ff15???????? \| // 3bc3 \| cmp eax, ebx // 8945f4 \| mov dword ptr [ebp - 0xc], eax // 0f847a020000 \| je 0x280 // 391d???????? \| $sequence_2 = { 33d8 33d9 035df0 8d9c1ff87ca21f 8bfb } // n = 5, score = 100 // 33d8 \| xor ebx, eax // 33d9 \| xor ebx, ecx // 035df0 \| add ebx, dword ptr [ebp - 0x10] // 8d9c1ff87ca21f \| lea ebx, [edi + ebx + 0x1fa27cf8] // 8bfb \| mov edi, ebx $sequence_3 = { ffd6 50 ff15???????? 895dfc ff7508 ff15???????? ff75ec } // n = 7, score = 100 // ffd6 \| call esi // 50 \| push eax // ff15???????? \| // 895dfc \| mov dword ptr [ebp - 4], ebx // ff7508 \| push dword ptr [ebp + 8] // ff15???????? \| // ff75ec \| push dword ptr [ebp - 0x14] $sequence_4 = { e8???????? 8d45e4 57 50 8d45f0 50 e8???????? } // n = 7, score = 100 // e8???????? \| // 8d45e4 \| lea eax, [ebp - 0x1c] // 57 \| push edi // 50 \| push eax // 8d45f0 \| lea eax, [ebp - 0x10] // 50 \| push eax // e8???????? \| $sequence_5 = { 8b37 83c704 33f0 897d0c 8bfe } // n = 5, score = 100 // 8b37 \| mov esi, dword ptr [edi] // 83c704 \| add edi, 4 // 33f0 \| xor esi, eax // 897d0c \| mov dword ptr [ebp + 0xc], edi // 8bfe \| mov edi, esi $sequence_6 = { 0f8678020000 8b45e8 40 8945fc } // n = 4, score = 100 // 0f8678020000 \| jbe 0x27e // 8b45e8 \| mov eax, dword ptr [ebp - 0x18] // 40 \| inc eax // 8945fc \| mov dword ptr [ebp - 4], eax $sequence_7 = { eb0b 6a03 eb06 6a02 eb02 6a01 } // n = 6, score = 100 // eb0b \| jmp 0xd // 6a03 \| push 3 // eb06 \| jmp 8 // 6a02 \| push 2 // eb02 \| jmp 4 // 6a01 \| push 1 $sequence_8 = { ba???????? 0fb69f4c910010 8d8764910010 807c1dc400 7404 8b1a 091e } // n = 7, score = 100 // ba???????? \| // 0fb69f4c910010 \| movzx ebx, byte ptr [edi + 0x1000914c] // 8d8764910010 \| lea eax, [edi + 0x10009164] // 807c1dc400 \| cmp byte ptr [ebp + ebx - 0x3c], 0 // 7404 \| je 6 // 8b1a \| mov ebx, dword ptr [edx] // 091e \| or dword ptr [esi], ebx $sequence_9 = { 8945ec 85c0 750b ff45fc 837dfc03 7d34 ebd5 } // n = 7, score = 100 // 8945ec \| mov dword ptr [ebp - 0x14], eax // 85c0 \| test eax, eax // 750b \| jne 0xd // ff45fc \| inc dword ptr [ebp - 4] // 837dfc03 \| cmp dword ptr [ebp - 4], 3 // 7d34 \| jge 0x36 // ebd5 \| jmp 0xffffffd7 condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

NetTraveler Propose Change

References

Yara Rules

NetTraveler