Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Pez
« on: 15. March 2013., 11:13:15 »

Travnet Trojan Could Be Part of APT Campaign

Attackers use all kinds of attack vectors to steal sensitive information from their targets. Their efforts are not limited to only zero-day vulnerabilities. Malware authors often exploit old vulnerabilities because a large number of organizations still use old vulnerable software. The Trojan Travnet, which steals information, is a classic example of malware that takes advantage of unpatched software. We have recently observed malicious Travnet RTF and Excel documents that exploit old vulnerabilities, such as CVE-2010-3333, in Microsoft Office. During our investigation we identified some samples associated with this campaign that have been active since 2009.

Once Travnet infects a machine, it searches for all document files, such as PDF, PPT, and DOC, and uploads this data to remote servers. To evade detection from network-monitoring appliances such as intrusion detection and prevention systems, the malware sends the stolen data in encrypted format. To reduce the data size, it first uses a compression algorithm and then a Base64 algorithm.

We have observed the following files actively used in this campaign:

• План проведения учения ВМС на 2013 года.xls (“Plan for teaching the Navy in 2013 goda.xls”)

• 22.01.2013.doc

These files exploit old vulnerabilities in Office and drop executable files that are embedded in the original malicious files.



"click the images to get them larger"

We found that IP address 110.34.193.13 hosted many domains that are part of this campaign.



During our investigation we found that these servers are now hosted at different IPs. The next list shows recent domains associated with this campaign.



Most of the domains are registered with the following Registrar and Name Server:



Some sites are registered to Li Ming and Zhang Lan, which could be fake names. However, their email IDs are also associated with lots of similar websites that are part of this campaign.



The stolen data is being hosted at the following servers:





We found on one server other malicious files using different domains:



The malware injects a DLL into the Internet Explorer process “IEXPLORE.EXE” and starts collecting information and sending to the remote server:



The following image shows how the infected machine sends data to the server:



The stolen data is parsed by nettraveler.asp. Here is a snippet of that file:



As we write this blog, we continue to analyze the samples to ascertain the nature of the data being collected on the remote servers, the potential victims, and the attacker(s). We are also investigating whether this attack is an advanced persistent threat.

McAfee protects against this threat through on-demand User Defined Signatures. Coverage will be included in the Network Security Platform’s next signature release.

Thanks to fellow researchers Anil Aphale, Amit Malik, Arunpreet Singh, and Umesh Wanve for their analysis.

And thanks to Ravi Balupari and Benjamin Cruz for their valuable input.


Orginal article: Thursday, March 14, 2013 at 11:34pm by Vikas Taneja
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising