Bitdefender researchers have unearthed a previously unknown malware framework that, unlike those used by most APTs, contains many legitimate utilities.
Dubbed Netrepser, the framework is used to find and exfiltrate all kinds of information from compromised Windows systems. The researchers believe that it is wielded by a dedicated cyber espionage group, as the victims are mostly computer systems of government agencies.
Malicious macros and legitimate utilities
Netrepser is usually delivered via spear-phishing emails spoofed to look like they are coming from a legitimate source. The email purports to deliver a document containing guidelines for discussion or a similar benign DOC file, and the recipient is urged to enable macros in order to view the contents of the file:
This JS/JSE payload contacts the C&C server, send basic information about the compromised system, and fetches and executes malicious jobs with the help of legitimate tools and malware downloaded directly from it.
It uses, among other things:
- WinRAR to compress files for exfiltration
- Email Password Recovery and IM Password Recovery – two legitimate password recovery tools developed by Nirsoft – to steal passwords
- WebBrowserPassView (also by Nirsoft) to steal browser cookies and stored passwords
- sdelete (by SysInternals) to securely delete specific files present on the system
- A customized job to uploads a specific file from the victim system to the C&C server
- A keylogger
- A killswitch job to delete the malware from the system. It deletes files and
All of these tools are packed with a custom file-packing algorithm that seems unique to this group, but that doesn’t tell us who are these hackers.
“Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion, the technical complexity of the attack, as well as the targets attacked, suggest that Netrepser is more than a commercial-grade tool,” the researchers noted.
“Because of the nature of these attacks, attribution is impossible unless we dig into the realm of speculation. Our technical analysis however, has revealed that some documents and file paths this campaign is using are written in Cyrillic.”
Technical details and indicators of compromise tied to this campaign can be found here.