A complex, targeted malware framework known as Netrepser has been found to have been targeting government agencies since May 2016, likely part of a high-level cyber-espionage campaign.
Last May, the Bitdefender threat response team isolated a number of samples from its internal malware zoo while looking into a custom file-packing algorithm. A deeper look into the global telemetry revealed that this piece of malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets.
The attack is paired with advanced spear phishing techniques and is primarily focused on collecting intelligence and exfiltrating it systematically. However, Bitdefender noted that it takes an unusual approach for an espionage campaign: Netrepser uses readily-available free tools, making it difficult to attribute and taking advantage of the simplicity to better blend in with the environment.
“Its unusual build could have easily made it pass like a regular threat that organizations block on a daily basis; however, telemetry information provided by our event correlation service has pointed out that most of its victims are government agencies,” the firm said, in a report on the code.
Netrepser comes with quite an array of methods to steal information, ranging from keylogging to password- and cookie-theft. It is built around a legitimate, yet controversial recovery toolkit provided by Nirsoft.
“The controversy stems from the fact that the applications provided by Nirsoft are used to recover cached passwords or monitor network traffic via powerful command-line interfaces that can be instructed to run completely covertly,” explained Bitdefender. “For a long time now, the antimalware industry has flagged the tools provided by Nirsoft as potential threats to security specifically because they are extremely easy to abuse, and oversimplify the creation of powerful malware.”
Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion, the technical complexity of the attack, as well as the targets attacked, suggest that Netrepser is more than a commercial-grade tool.
For instance, the malware operators have included a killswitch job to clean up after themselves after exfiltration.
“This option is key in establishing that this is not an opportunistic attack, but rather a well-designed espionage campaign with multiple redundancies and, ultimately, a way to deter forensic processes that might recover evidence,” Bitdefender noted.
From its discovery in May 2016 until now, the group behind Netrepser has compromised about 500 computers and exfiltrated an unknown number of documents, login credentials or other pieces of intelligence, the report concludes. While attribution is impossible to determine for sure, technical analysis has revealed that some of the documents and file paths are written in Cyrillic.