In 2014 the actors behind global cyber espionage campaign “Operation NetTraveler” celebrate ten years of activity. NetTraveler has targeted more than 350 high-profile victims in 40 countries. So it is high time we make our research public .We were able to attribute Netravler to PLA[People liberation Army] military camp in Lanzhou. We provide our analysis in the form of a PPT slide.

1. www.Garage4Hackers.com
Lessons learned tracking an APT team
Advance Persistent Threats
[APT] Tracking for Dummies
http:/www.Garage4Hackers.com
Garage4Hackers

2. About Me
[Garage4Hackers ]
A community of like minded security folks.
Garage4Hackers
Forum based community www.Garage4Hackers.com.
Ranchoddas Series Webcast every month [promoting free
info sec education]. :- THN is one of our biggest supporter.
www.garage4hackers.com/ranchoddas-webcast
https://twitter.com/Garage4Hackers
Our views and opinions do not represent those of our
employers.

3. Netravler APT Attribution
This talk would be on how we attributed the APT team
behind Netravler .
How we did it and how you could do the same.
Reference:
http://www.kaspersky.com/about/news/virus/2013/NetTraveler
_is_back_with_new_tricks
http://www.kaspersky.com/about/news/virus/2014/NetTraveler
-Gets-Makeover-for-Tenth-Anniversary
http://kasperskycontenthub.com/wp-content/
uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-
final.pdf

4. Tracking an APT Team
Agenda:
Garage4Hackers
Exploit/Malware analysis.
Information gathering .
Finding security bugs in attacker infrastructure.
Taking over attacker Command and Controller
servers.
Identifying victims.
Countering attacks.
What ever mentioned in the talk today is based on data collected
over an year. This research was done with active participation
from g4h members

5. The Attack.
Spear-phishing :Comes form Spoofed email
address via email.
Garage4Hackers
Watering hole technique (browser exploits, drive
by downloads) to infect victims surfing the web

6. Step 1: Email header analysis .
Evidences to Collect.
http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx
1) Collect sender time, return path, SMTP address etc.
Garage4Hackers

7. Garage4Hackers
Step 2: Exploit Analysis
The objective is to identify/extract the malware dropped using
the exploit.
Collect Metadata embedded in the exploit .
Find any piece of information that would help in attribution.
Identify CVE using virustotal.com helps when the exploit is
not a 0-day .

8. Automated: MS-office exploit
analysis.
These sites should help.
www.document-analyzer.net/
www.joesecurity.org
http://scan.xecure-lab.com/
Garage4Hackers

9. Extracting Malware out of
Exploits.
Manual: MS-office exploit analysis.
Garage4Hackers
Run the document file in a virtual machine and use process
monitor to watch system level changes [drops at temp file].
Use Sandboxie to execute the document file and extract the
binary.
Load office in a debugger and put breakpoints at file write API.

10. Evidences Collected from Step
1,2.
Sent from a spoofed email address .
The email contained a malicious attachment, which exploited cve-
2010-333 rtf exploit .
Based on initial analysis the same malware samples were used to
attacks Korea and Russia.
Campaign that have been active since 2009 .
Opening the exploit drops a legitimate file with
md5: e617348b8947f28e2a280dd93c75a6ad.
File Name: Jallianwala Bagh massacre a deeply shameful act.doc
It drops the following binaries:
c0c093987a55fe9ac61e6e2b5a362d51 netmgr.dll
8dc61b737990385473dca9bfc826727b winlogin.exe
Garage4Hackers

11. Step 3: Malware Analysis
Evidences to Collect.
Command and Control Domain names/ IP address.
Whois Information about the IP address.
Registrant Email Address
Malware Activities.
Interesting strings in Malware .
Garage4Hackers

12. Automated Malware
Analysis
http://anubis.iseclab.org/
https://aerie.cs.berkeley.edu/
http://camas.comodo.com/
http://eureka.cyber-ta.org/
https://malwr.com/submission/
http://www.threatexpert.com/submit.aspx
Garage4Hackers
http://www.threattracksecurity.com/resources/sandbox-malware-
analysis.aspx
Source: http://zeltser.com/reverse-malware/automated-malware-analysis.html

13. Manual: Malware
Analysis. Reversing Malware:
• Normally controller
information would be
encrypted or encoded
inside the malware.
• Just run the malware in a
debugger and then
analyze the heap for IP
address / Domain patters.
• Alternately put breakpoint
at Winsock Functions and
analyze the stack .
http://msdn.microsoft.com/en-us/
library/windows/desktop/ms7413
94(v=vs.85).aspx
Garage4Hackers

14. Manual: Malware
Analysis.
• You can figure out
encryption/encoding
algorithms.
• The current malware
compressed data and then
base64 encoded them
before sending them to
attacker controlled servers.
• Registry / File system
values malwares write for
persistence.
Garage4Hackers

15. Evidences Collected from Step 3.
Controller Information:
http://www.faceboak.net/2012nt/nettraveler.asp
IP: 110.34.193.13
Request: Compressed+B64 encoded Get request
Garage4Hackers

16. Domain Information.
IP address 110.34.193.13 hosted many
domains .
Also each domains we identified were
behind the fast flux domain.
Registrant email ID were found using
whois and was used to reverse query
other domains.
Source: http://blogs.mcafee.com/mcafee-labs/
travnet-trojan-could-be-part-of-apt-campaign
Garage4Hackers

17. We wrote a Fast Flux
Monitor
Garage4Hackers
• Collected all IP address associated with
the group.
• Created another program to get whois
info of all these IP address registration
information.

18. Garage4Hackers
Step 4: Offensive Attacks on
C&C
Collect information about victims.
Find information about attackers .
Identify stolen information .
Collect tools used by attackers.
Learn about attacker tools and tactics.
Some time you find 0-days on these server, this would give
better protection.
“The only real defense is offensive defense” (Mao
Zedong)

19. Find Vulnerabilities.
On the C&C application .
On the hosted server .
Or what ever evil ways you could think about.
Garage4Hackers
We found a lame bug in the controller application and we had our first non-interactive shell on the
controller.

20. Attack the Attackers
Garage4Hackers

21. Result
Huge no of C&C servers were under control.
Lot of evidences to collect.
Garage4Hackers

22. They looked for :
- .ppt(x) , .xls(x) .doc(x) .pdf
Encrypted ??:
• The contents were
compressed and
unusable.
• Decompression was
needed to convert it
back to a usable
format.
Garage4Hackers

23. Lots of Data and Lots of
Victims
Garage4Hackers
Source: http://www.kaspersky.com/about/news/virus/2014/NetTraveler-Gets-Makeover-for-Tenth-Anniversary

24. Evidences Collected
Webserver logs, System logs .
Activity and admin login logs.
Victim Information.
IP address and Mac Address.
Highlights:
1. Attackers where behind a proxy.
2. Military like working pattern identified
24/7.
3. The controller admins showed lack of
technicalskills. (So the developers of
Nettravler is not themaintainers of the
controllers. )
Garage4Hackers
00 ** ** **
01 ** **
02 ** ** **
03 ** **
04 ** **
05 ** **
06 ** **
07 ** ** **
08 ** **
09 ** **
10 **
11 ** ** **
12 ** ** **
M T W T F S SU

25. Retaliation by AttackersGarage4Hackers
While analyzing the data on the
controllers, we were attacked by the
attackers. The attacker attacked from
61.178.77.18 IP and tried to sent Ms08-
067 exploit .
61.178.77.* is a notorious IP range and
is attributed in many attacks against
governments around the world.
Some advance googling, we stumbled
upon an interesting discovery, soldiers
from PLA Lanzhou camp talking about
their experiences and the above IP was
there .
http://tieba.baidu.com/f?ct=335544320&lm=0&rn=30&tn=
postBrowserN&sc=0&z=65932096&pn=0&word=%C1%D
9%D4%F3
The Lanzhou Military Region is one of
seven military regions in the People's
Republic of China.

26. Netravler Attribution
Huge amount spent for the malware infrastructure
[Military funds].
24/7 Working hours [Military working hours] .
Low technical skills, developers of Netravler were
different from the maintainers [ Trained users not core
hackers].
IP address attribution to PLA[People liberation Army]
military camp.
All evidences were leading to PLA IT department
Lanzhou .

27. The End
Not really :D
Garage4Hackers

28. Tracking the SMTP server. Garage4Hackers
Finger print IP address of SMTP server from Email
header analysis .
Identified an Exploit/Phishing mailer kit named Chilly
fisher
Go to step 4, identify vulnerabilities in the server
hosting the exploit kit.

29. Chilly Fisher Exploit Kit
Garage4Hackers
The kit had a frontend and Backend code .
The function of the Front end code was to send mass
phishing/exploit emails to targets.
The front end code allowed attackers to mass include target
emails, subject and email content.
The phishing email sent has a hyperlink with unique callback
to the backend code.
The kit contained a phishing and browser exploit module .

30. Victim Database
Garage4Hackers

31. Chillyfisher Database
Garage4Hackers
The backend database used is MS-Access . All collected
information is stored in this database.
Chillyfisher instance had "Loginlog" table having
information's about ChillyFisher admins who logged into the
control panel.

32. IP attribution.
All the logged in Admins were from China.
Garage4Hackers
There were around 10,000 unique IP address found in target
db.

33. Chillyfisher Targets.
Garage4Hackers

34. Questions
Garage4Hackers
info@garage4hackers.com
www.Garage4Hackers.com