Anti-Malware Research Whitepapers

Inside Netrepser – a JavaScript-based Targeted Attack

In May 2016, the Bitdefender threat response team isolated several samples from the internal malware zoo while looking into a custom file-packing algorithm. A deeper look into our global telemetry revealed that this piece of malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets.

Its unusual build could have easily made it pass for a regular threat like many of those that organizations block on a daily basis; however, telemetry information provided by our event correlation service has pointed out that most of its victims are government agencies. Paired with advanced spear phishing techniques and the malware’s primary focus to collect intelligence and exfiltrate it systematically, we presume that this attack is part of a high-level cyber-espionage campaign.

The piece of malware we look at in this report comes with quite an array of methods to steal information, ranging from keylogging to password and cookie theft. It is built around a legitimate, yet controversial recovery toolkit provided by Nirsoft. The controversy stems from the fact that the applications provided by Nirsoft are used to recover cached passwords or monitor network traffic via powerful command-line interfaces that can be instructed to run completely covertly. For a long time now, the antimalware industry has flagged the tools provided by Nirsoft as potential threats to security specifically because they are extremely easy to abuse, and oversimplify the creation of powerful malware.

A full analysis of the Netrepser Trojan

This whitepaper offers a detailed account of the infection mechanism, its operation and data exfiltration, as well as a list of indicators of compromise to help you detect Netrepser in your infrastructure.

Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion, the technical complexity of the attack, as well as the targets attacked, suggest that Netrepser is more than a commercial-grade tool.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Alexandru MAXIMCIUC

Alexandru MAXIMCIUC

Alexandru "Sasha" Maximciuc is a veteran malware researcher with more than 12 years of experience. His research is mostly focused on exploits, advanced persistent threats and packing technologies.

About the author

Cristina VATAMANU

Cristina VATAMANU

Cristina Vatamanu specializes in anti-malware research and machine learning technologies. She spent the past seven years doing threat research at Bitdefender and developing algorithms to help fight advanced cyber-threats. She is currently doing a PhD in machine learning where she does groundbreaking research in artificial intelligence applied to malware detection.

About the author

Adrian SCHIPOR

Adrian SCHIPOR