Ahmed Sonbol

Detecting NetTraveler variants using Security Analytics

Discussion created by Ahmed Sonbol Employee on Feb 1, 2016

NetTraveler is a malware family that has been associated with APT campaigns against high profile victims in different countries. In this blog post, we will discuss how to detect the beaconing activity of one its variants using RSA Security Analytics.

 

When this NetTraveler variant hits a machine, it enumerates all the files on the system as well as the running processes. The data is encoded and saved to the victim machine. In addition, the binary collects basic system information for identification purposes. Once it is ready, it starts communicating with its C2 server as follows:

 

nettraveler-session.png

 

Where:

  • hostid is the volume serial number as returned by the GetVolumeInformation system call
  • filename has the creation timestamp of the file with the encoded process list
  • filetext has the encoded process list between the two tokens begin:: and ::end

 

And this how the traffic looks in Security Analytics Investigator:

nettraveler-investigator.png

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect NetTraveler network activity:

               action = 'get' && extension = 'asp' && query begins 'hostid='

 

Scan results for a NetTraveler variant can be found here.

 

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

               threat.desc = 'apt-nettraveler-c2'

Outcomes