NetTraveler APT Gets a Makeover for 10th Birthday
We have written about NetTraveler before HERE and HERE.

Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters
using an updated version of the NetTraveler backdoor.

Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.




The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.

                                      "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki
            File name
                                      ashkarilanmaqta.doc"
            MD5                       b2385963d3afece16bd7478b4cf290ce
            Size                      381,667 bytes

The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file",
appears to have been created on a system using Microsoft Office - Simplified Chinese.

It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as
Exploit.MSWord.CVE-2012-0158.db.

If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by
Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of
other files. The main C&C module is dumped into
"%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-
Spy.Win32.TravNet.qfr).

           Name                      WINDOWSUPDATANEY.DLL
           MD5                       c13c79ad874215cfec8d318468e3d116
           Size                      37,888 bytes

It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT"
(detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):

 @echo off
 @reg add
 "HKEY_LOCAL_MACHINE\
 SOFTWARE\Microsoft\Win
 dows@echo off
 NT\CurrentVersion\Svcho
 st" @reg
     /v Windowsupdata     /t
            add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows           NT\CurrentVersion\Svchost" /v
 REG_MULTI_SZ /d
     Windowsupdata
 Windowsupdata /f
                          /t REG_MULTI_SZ   /d Windowsupdata /f
 @reg add
     @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v
 "HKEY_LOCAL_MACHINE\
     ImagePath /t REG_EXPAND_SZ /d %SystemRoot%\System32\svchost.exe -k Windowsupdata /f
 SYSTEM\CurrentControlSe
 t\Services\Windowsupdat
 a" /v ImagePath
     @reg          /t
            add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata"        /v
 REG_EXPAND_SZ /d
     DisplayName
 %SystemRoot%\System32
                       /t REG_SZ /d Windowsupdata  /f
 \svchost.exe -k
     @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata"
 Windowsupdata     /f                                                                       /v
 @regObjectName
        add           /t REG_SZ /d LocalSystem /f
 "HKEY_LOCAL_MACHINE\
 SYSTEM\CurrentControlSe
     @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata" /v
 t\Services\Windowsupdat
     ErrorControl /t REG_DWORD /d 1 /f
 a" /v DisplayName /t
 REG_SZ /d
     @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata"
 Windowsupdata     /f                                                                       /v Start /t
 @regREG_DWORD
        add              /d 2 /f
 "HKEY_LOCAL_MACHINE\
 SYSTEM\CurrentControlSe
     @reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windowsupdata\Parameters"
 t\Services\Windowsupdat
     /v ServiceDll /t REG_EXPAND_SZ /d %SystemRoot%\system32\Windowsupdataney.dll /f
 a" /v ObjectName /t
 REG_SZ /d LocalSystem /f
 @reg add
To   make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark
 "HKEY_LOCAL_MACHINE\
 SYSTEM\CurrentControlSe
its presence in the system. Other known mutexes used by older and current variants include:
 t\Services\Windowsupdat
 a" /v ErrorControl /t
 REG_DWORD /d 1 /f
 @reg addBoat-12 Is Running!
 "HKEY_LOCAL_MACHINE\
         DocHunter2012 Is Running!
 SYSTEM\CurrentControlSe
 t\Services\Windowsupdat
         Hunter-2012 Is Running!
 a" /v Start /t REG_DWORD
 /d 2 /fNT-2012 Is Running!
 @reg add
 "HKEY_LOCAL_MACHINE\
      NetTravler Is Running!
      NetTravler2012 Is Running!
      SH-2011 Is Running!
      ShengHai Is Running!
      SD2013 is Running!

The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a
slightly new format compared to "older" NetTraveler samples:




For the record, here's what an older NetTraveler config file looks like:




Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration.
Luckily, the encryption is relatively simple to break.

The algorithm is as follows:

for (i=0;i<string_size;i++)
decrypted[i]=encrypted[i] - (i + 0xa);

Once decrypted, the new config looks like this:
One can easily see the command-and-control (C&C) server in the screenshot above, which is
"uyghurinfo[.]com".

We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can
be found below:

 C&C server            IP                   IP location                      Registrar
                                            Hong Kong, Albert Heng,          SHANGHAI MEICHENG
 ssdcru[.]com          103.30.7.77
                                            Trillion Company                 TECHNOLOGY
                                            United States, Los Angeles,      TODAYNIC.COM
 uygurinfo[.]com       216.83.32.29
                                            Integen Inc                      INC.
                                            Hong Kong, Kowloon,
                                                                             SHANGHAI MEICHENG
 samedone[.]com        122.10.17.130        Hongkong Dingfengxinhui Bgp
                                                                             TECHNOLOGY
                                            Datacenter
                                            Hong Kong, Sun Network           SHANGHAI MEICHENG
 gobackto[.]net        103.1.42.1
                                            (hong Kong) Limited              TECHNOLOGY
                                                                             SHANGHAI MEICHENG
 worksware[.]net       N/A                  N/A
                                                                             TECHNOLOGY
                       was                  Hong Kong, Sun Network           SHANGHAI MEICHENG
 jojomic[.]com
                       202.146.219.14       (hong Kong) Limited              TECHNOLOGY
                                            hong kong hung tai               SHANGHAI MEICHENG
 angellost[.]net       was 103.17.117.201
                                            international holdings           TECHNOLOGY
                                            hong kong hung tai               SHANGHAI MEICHENG
 husden[.]com          was 103.30.7.76
                                            international holdings           TECHNOLOGY

We recommend blocking all these hosts in your firewall.

Conclusion

This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we
have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the
year when their activity started.
For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and
military targets.
NetTraveler victims by industry

Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration,
nano-technology, energy production, nuclear power, lasers, medicine and communications.

The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can
assume it will stay this way, perhaps for another 10 years.
