Attackers use all kinds of attack vectors to steal sensitive information from their targets. Their efforts are not limited to only zero-day vulnerabilities. Malware authors often exploit old vulnerabilities because a large number of organizations still use old vulnerable software. The Trojan Travnet, which steals information, is a classic example of malware that takes advantage of unpatched software. We have recently observed malicious Travnet RTF and Excel documents that exploit old vulnerabilities, such as CVE-2010-3333, in Microsoft Office. During our investigation we identified some samples associated with this campaign that have been active since 2009.
Once Travnet infects a machine, it searches for all document files, such as PDF, PPT, and DOC, and uploads this data to remote servers. To evade detection from network-monitoring appliances such as intrusion detection and prevention systems, the malware sends the stolen data in encrypted format. To reduce the data size, it first uses a compression algorithm and then a Base64 algorithm.
We have observed the following files actively used in this campaign:
- План проведения учения ВМС на 2013 года.xls (“Plan for teaching the Navy in 2013 goda.xls”)
These files exploit old vulnerabilities in Office and drop executable files that are embedded in the original malicious files.
We found that IP address 18.104.22.168 hosted many domains that are part of this campaign.
During our investigation we found that these servers are now hosted at different IPs. The next list shows recent domains associated with this campaign.
Most of the domains are registered with the following Registrar and Name Server:
Some sites are registered to Li Ming and Zhang Lan, which could be fake names. However, their email IDs are also associated with lots of similar websites that are part of this campaign.
The stolen data is being hosted at the following servers:
We found on one server other malicious files using different domains:
The malware injects a DLL into the Internet Explorer process “IEXPLORE.EXE” and starts collecting information and sending to the remote server:
The following image shows how the infected machine sends data to the server:
The stolen data is parsed by nettraveler.asp. Here is a snippet of that file:
As we write this blog, we continue to analyze the samples to ascertain the nature of the data being collected on the remote servers, the potential victims, and the attacker(s). We are also investigating whether this attack is an advanced persistent threat.
McAfee protects against this threat through on-demand User Defined Signatures. Coverage will be included in the Network Security Platform’s next signature release.
Thanks to fellow researchers Anil Aphale, Amit Malik, Arunpreet Singh, and Umesh Wanve for their analysis.
And thanks to Ravi Balupari and Benjamin Cruz for their valuable input.