Inside Netrepser - a JavaScript-based targeted attack

Presented at VB2017, Oct. 5, 2017, 4 p.m. (30 minutes)

Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers run low under the radar for a considerable period of time, allowing them to operate unrestricted in the victim's environment. These kinds of attacks are usually custom-made with just enough features to enable them to carry out the attacks for which they have been designed. The piece of malware presented in this paper, Netrepser, uses quite an array of methods to steal valuable and specific information from specific victims. It is built around a legitimate, yet controversial recovery toolkit provided by *NirSoft*. The cybercriminals manage to play the simplicity card to better blend in with the environment. We have isolated and dissected the malware in order to better understand its early stages. This paper will detail its method of distribution through advanced spear-phishing techniques, its communication with the C&C servers, the JavaScript payloads used in the attack, the methods of collecting intelligence and exfiltrating it systematically, the tools used, the methods of obfuscation deployed to avoid detection and, ultimately, the impact it has on the victim's data. Analysing this piece of malware, observing its primary focus, the number of victims and the data it gathers, we presume that this targeted attack is part of a cyber-espionage campaign.

Presenters:

• Alexandru Maximciuc - Bitdefender
  Alexandru Maximciuc Alexandru Maximciuc is passionate about reverse engineering, likes Perl and Go, and studied mathematics. He has been working at Bitdefender for ten years, and he really enjoys fighting malware. @amaximciuc
• Adrian Schipor - Bitdefender
  Adrian Schipor Adrian Schipor has worked at Bitdefender for four years and is passionate about reverse engineering, exploits and cryptography. He is also currently studying for a Ph.D. in cryptography at the 'Alexandru Ioan Cuza' University of Iasi. @agschipor
• Cristina Vatamanu - Bitdefender
  Cristina Vatamanu Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi'. She has worked at Bitdefender for almost eight years. Some of her responsibilities (and hobbies) include reverse engineering, exploit analysis, and automated systems. @_CristinaV

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/inside-netrepser-javascript-based-targeted-attack

Similar Presentations:

• VB2018 / Behind the scenes of the SamSam investigation
• VB2017 / XAgent: APT28 cyber espionage on macOS
• VB2017 / Last-minute paper: FinFisher: New techniques and infection vectors revealed