Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Government Organizations Targeted in “Netrepser” Attacks

A report published by Bitdefender on Friday details a previously undocumented cyber espionage campaign that leverages a piece of malware dubbed “Netrepser” to target government organizations.

A report published by Bitdefender on Friday details a previously undocumented cyber espionage campaign that leverages a piece of malware dubbed “Netrepser” to target government organizations.

The first Netrepser malware samples were discovered by the security firm in May 2016. No information has been shared on the location of the targets, but researchers determined, based on data from the threat’s command and control (C&C) infrastructure, that the malware had infected more than 500 machines. Most of the victims are government agencies.

Bitdefender told SecurityWeek that the attacks are ongoing, and the company has not found any evidence linking this campaign to other threat actors.

The Netrepser Trojan is mainly designed for intelligence gathering, and it allows attackers to collect system information, email and instant messaging passwords, session cookies and passwords from web browsers, and keystrokes.

“Paired with advanced spear phishing techniques and the malware’s primary focus to collect intelligence and exfiltrate it systematically, we presume that this attack is part of a high-level cyber-espionage campaign,” Bitdefender said in its report.

Researchers pointed out that while the attack is complex, the Netrepser malware relies heavily on free tools to carry out various tasks. Experts determined that much of its functionality is provided by a controversial recovery toolkit from Nirsoft, which many antimalware vendors have flagged due to the fact that it can easily be abused for malicious purposes.

For example, Nirsoft email and instant messaging password recovery tools are used by the Netrepser malware to steal email and IM passwords. Another Nirsoft utility is used by the Trojan to steal passwords stored in browsers.

The list of legitimate tools abused by Netrepser also includes WinRAR, used to compress stolen data before exfiltration, and SDelete from Sysinternals, which is used to delete files likely in an effort to prevent the recovery of forensic evidence. Researchers noted that nearly all third-party tools used in these attacks are packed with what appears to be a custom packer.

Advertisement. Scroll to continue reading.

According to Bitdefender, the Netrepser malware is delivered via spear-phishing emails that carry malicious documents.

One of the documents was titled “Russia Partners Drafting guidelines (for directors’ discussion),” but researchers also found files with Russian names that translated to “installation” and “Ural.” The malicious documents leverage macros to deliver the final payload in the form of JavaScript or JavaScript Encoded files.

The English-language document appeared to have been sent by Donald Spencer, a managing director of private equity investment firm Siguler Guff. One of the company’s founding partners, Drew Guff, gave a speech last year at the St. Petersburg International Economic Forum.

While Bitdefender has refrained from making any statement on attribution, the company pointed out that, in addition to documents, some file paths used by the malware are also written in Cyrillic script.

Related: Russian Cyberspies Use New Mac Malware to Steal Data

Related: U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

Related: Denmark Says Russia Hacked Defense Ministry Emails

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...