Netrepser – A JavaScript Targeted Attack

[Music]

hello everyone welcome back hope you had a good lunch I am Christina and I've been with the defender cyber threat intelligence lab since over eight years now and today I am here to speak about a research I did a while back together with my colleagues Alexandre and Adi on and as the title states the research is about what we call net reps air which is a targeted attack based on JavaScript files I do hope you find the information useful maybe to check it yourself and if some of you have seen anything similar please don't hesitate to contact us the agenda for today is quite simple first we are going to review some general facts about the case we were

investigated then we are going to take a dive into the technical aspects behind the attack and in the end of course we will close with some conclusions now as quick facts we started to investigate this case in May 2016 when we saw the first sample during our triage process it caught our attention because of its unusual payload the first file dropped on the disk was a JavaScript file and as we took a closer look into it we discovered that all the custom jobs instructed to be executed were also JavaScript files its main purpose is to collect and exfiltrate intelligence from the victims computer and as far as we have seen from our telemetry the victims

fall into the government sectors we also estimated around 500 victims on our initial assessments I do have to say that this is an estimated number based on our observations on the Malheur functionality as we will further explain it now for the technical details as most of our cases it all started with an email in August we found the infection vector in a form of an email which was actually a forward message the initial message belonging to Donnell Spencer which is the director of sigilyph come from based on their description on LinkedIn there are a multi-strategy private investment firm with a real estate spanning from Mumbai to Moscow I don't really personally know them but apparently they're very big I don't know

if you are able to read the email the content seems to be related to an acquisition event and the attachment is a document file with the name related to the content of the email name Russia partner drafting guidelines for directors discussion we also found similar samples their name was written in Cyrillic revealing a special interest for these laughing speaking victims also during our investigations we also found different details which highlighted this interest also now the document attachment had embedded macros in it and when executed it will prompt a message on how to enable macros in three different for three different Microsoft Office versions 2010 2007 and 2003 once the macros are enabled the payload is dropped on the

disk in the form of a JavaScript file or a JavaScript and benefi encoded file I'm sorry also through the include picture directives when executed a statistic is built on the number of victims per campaign so the directive would ping the command and control server announcing it that a new victim was successfully infected with a certain payload which is marked by the name of the offended document in our case the Russia partner drafting guidelines now let's take a closer look to the on the VB macros so their purpose is to drop and execute the main payload the main strip as far as we have seen earlier attacks are based on JavaScript files newer ones switch to JavaScript

and coded files the first attacks have macro scripts which are simpler they only drop the payload on the disk and executed directly with W script exe newer ones are a bit more refined they have macros which are heavily obfuscated as it can be seen in the right side of the picture and there are they are a bit more complex so in background they will save the payload in a shape in the document they will load the payload into a variable and then delete it from the document itself before dropping it on a disk the script would check the internet connectivity so it will perform a get request to the CNC server if connected only then we'll drop

the payload on the on the disk and executed with W script exe the main payload is saved on in the user profile or the local application data folder depending on the campaign it impersonates a legitimate tool car complete internet repair and in order to trick someone who would be suspicious and it will check the file it has appended at the beginning of the file comment with the description of the legitimate tool once executed it will assure its persistence it will set itself at startup either through the scheduled tasks approach or through the registry keys depending on the operating system versions and it has two main functionalities want to download and execute the registration script and then to download and execute

the job spreads the registration script it is downloaded and executed by the main script as I've told you through it is executed through the eval function so the script isn't saved on the disk it runs only in memory it registers the infected machine to the CNC server and for that it will send a fingerprint of the system containing a list of primary information such as the list of the antivirus products installed the free sprays on the primarily disk if the user is an admin or not the operating system version code name which is a code hard-coded in the main script and also the user name all these informations are sent to the server as parameters for the

requests the server responds with a unique bot ID which is identification fection and with that the registration will create a configuration file where it will write the URL used for retrieving future jobs this configuration file we'll be used by the main script in order to retrieve the jobs and those jobs are also Java scripts which are executed only in in memory they don't touch the disk now our first registration gave us an ID very close to 500 subsequent registration to the CNC infrastructure confirmed that this ID is merely a counter as the response are were incremental so this is why in the beginning I said that we've estimated around 500 victims in our initial assessments I do have to say that

sometimes if a machine gets infected twice it will receive two different IDs so this number remains an estimation now because we are a community of very curious people we couldn't stop wondering what is the purpose of this frame so we took advantage of the fact that on the server side no additional information is checked in order to identify a victim and we decided to impersonate all the 500 plus victims and to request jobs in their behalf in order to see what they were instructed to do although most of our requests remain unanswered of showing us that the attackers have lost interest on some victims over the time we were able to retrieve a number of jobs which helped

us draw a functionality map for this for this framework and we've identified nine categories of such jobs so I will quickly go through them the first job is a functional job it will ensure that on the device infected the very known application WinRAR will be installed so if not present the job will download the application a certain version that match the operation system and it will install it the application isn't downloaded from the official site it is downloaded from their own repository all the information which are slated to be accelerated will be first compressed with WinRAR and only then sent to the CNC server the next two jobs are in charge of fingerprinting the system gate file list will compile and

upload a file with all the file names available on the system and in order to do that they the job will execute these two comments on every available drive the file names together with the file sizes will then be compressed with WinRAR it would they will be password protected with the password u.s. Secret Service and then uploaded to to the C&C server this password will be used for every information that is exfiltrated the next job will provide the attacker a detailed report about the system when executed the script creates a file name system info dot txt in the temporary folder which will contain the following information the Windows version the user name information about the drive and

storages all the running processes all the joint network domains and current domain current domain users and groups detailed topology of the network which hosts the infected computer and information from win32 system enclosure of course all these information are password-protected compressed and sent to the CNC server the next two jobs are in charge of collecting credentials get mail and I am password would of course collect the passwords for all the email and I am accounts available on the system in order to do that they will download to free near soft recovery tools again not from their official site but from their own repository these tools are email password recovery and I am faster recovery and all the

information again compressed password protected and sent to the CNC server apart from exfiltrated username and passwords the Malheur can also still logged in sessions in form of browser cookies and stored password so when received this job will search for cookie files in different folders and to get distort press passwords from the browser it will use another nurse of recovery tool the web browser path view and of course password-protected compressed and sent to the C&C server and because it's cool to have a killer obsession they also can send a key logger which is downloaded from their own repository the first stage is to download the key logger and save it in the temporary folder with the name SMS report dot exe

before executing it the job will ensure that there is no other process with this name we believe that they are expected that some victims already run a version of the of the key logger statement which is highlighted also by the fact that the names jobs contains version two in it so there might be an older version of the keylogger which we weren't unable to able to isolate it once started the key logger will save the keystroke in logs luckily there aren't any automatic task which uploads these logs to the CNC servers so we presume that they exfiltrate this log using another complementary job depart our load now path download we believe that this is actually the core job of

the framework it is a customized job especially built for each victim and its purpose is to upload to the CNC server certain files from the computer these files which are requested are compressed and password-protected before they are uploaded the paths of the files are hard-coded into these scripts so this is why we say that this job is customized for each victim and looking through the data they've requested we would really get an insight about the attackers for example we've learned that they are art lovers and a big fan of rudovika machete because they really wanted this picture they have requested many times we don't know if there's much more interest with search for additional proofs but we

weren't able to find any of it so we've stuck with the theory of big fans of the of the painter but killing the side we've observed that their primary focus was to retrieve difficult different configuration files that would help them retrieve other sensitive information for example we have the ID 142 the part that they are requesting are written in Cyrillic this is another proof that they are interested in slobbing speaking victims and taking a closer look of in what they've requested we can see that there are text files and backups for the carriers of their products so carry our software as they stated they use they help businesses connect collaborate and communicate securely apparently they are used by

60,000 businesses and millions of users worldwide so they're pretty spread they have a wide variety of products from email management firewall protection and management for voice over IP applications and for example for the first product they ensure collaborative Word documents and spreadsheets they assure management of email accounts calendars contacts tasks chats and so much more so if the attackers get the identification credentials for this kind of software they will have access to all this sensitive information they would could retrieve confidential documents they could retrieve emails they could have their victim schedules looking through the calendars they will have the contacts and they could read messages and so on so this job actually gives the attackers great power of spying on

so this is why we say that it is actually the core job for this framework of course they also have jobs dedicated to clean up after themselves the first one installs a free tool from sysinternals as delete although although all the third-party tools are saved in the temporary folder as delete is saved in the working directory of the script as CSRs s dot exe or con host depending on the sample s delete utility is used to securely delete specific files on the system we in presume that they use it to clean up after the main script and override the delete files so that the forensics process could not recover any evidence they download this utility not

from the official site but from their own repository the second job is actually a kill switch after the exfiltration process is complete the maillard downloads this job in order to clean up after themselves their purpose is to reach to delete a every trace and depending on the level of infection or depending on the campaign this operation differs from one victim to another but putting together a list of actions they can do well they can delete all the related registry keys or the related scheduled tasks they delete files and folders from the temporary folder and from the working directory and also they terminate all the processes related to the infection as a last observation I would like to

mention a characteristic that helped us pivot around and find new similar files during our analysis we've seen that all the third-party tools and the key logger were packed with an algorithm that seemed to be property read for the attackers the Packer had shifted a piece of code in the text section and the purpose of that code was to unpack the actual tool which was found in the resources of the Packer in order to decrypt that piece of code a nun shifted algorithm is called several times this algorithm uses a master key and several secondary keys and it is called with each time with a master key and a secondary key as far as we have seen the

secondary keys are the same among many samples the master key differs each time after it is decrypted the program's check the program jumps to that code which would unpack and decrypt the tool and then execute it so to sum up we started looking into this in May 2016 the purpose of the framework is to collect and exfiltrate intelligence as far as we have seen in our telemetry the victims fall into the government sector and we've estimated around 500 victims in our initial assessment and from its functionality and the information they exfiltrated we believe that it might be used as pre-campaign for another more elaborate attack and with that that would be it if you have seen anything similar please

don't hesitate to contact us and if you are interested in more io C's or technical details you can find the white paper on our company blog so I would like to thank you all for your attention [Applause]