Security Experts:

Connect with us

Hi, what are you looking for?



Government Organizations Targeted in “Netrepser” Attacks

A report published by Bitdefender on Friday details a previously undocumented cyber espionage campaign that leverages a piece of malware dubbed “Netrepser” to target government organizations.

A report published by Bitdefender on Friday details a previously undocumented cyber espionage campaign that leverages a piece of malware dubbed “Netrepser” to target government organizations.

The first Netrepser malware samples were discovered by the security firm in May 2016. No information has been shared on the location of the targets, but researchers determined, based on data from the threat’s command and control (C&C) infrastructure, that the malware had infected more than 500 machines. Most of the victims are government agencies.

Bitdefender told SecurityWeek that the attacks are ongoing, and the company has not found any evidence linking this campaign to other threat actors.

The Netrepser Trojan is mainly designed for intelligence gathering, and it allows attackers to collect system information, email and instant messaging passwords, session cookies and passwords from web browsers, and keystrokes.

“Paired with advanced spear phishing techniques and the malware’s primary focus to collect intelligence and exfiltrate it systematically, we presume that this attack is part of a high-level cyber-espionage campaign,” Bitdefender said in its report.

Researchers pointed out that while the attack is complex, the Netrepser malware relies heavily on free tools to carry out various tasks. Experts determined that much of its functionality is provided by a controversial recovery toolkit from Nirsoft, which many antimalware vendors have flagged due to the fact that it can easily be abused for malicious purposes.

For example, Nirsoft email and instant messaging password recovery tools are used by the Netrepser malware to steal email and IM passwords. Another Nirsoft utility is used by the Trojan to steal passwords stored in browsers.

The list of legitimate tools abused by Netrepser also includes WinRAR, used to compress stolen data before exfiltration, and SDelete from Sysinternals, which is used to delete files likely in an effort to prevent the recovery of forensic evidence. Researchers noted that nearly all third-party tools used in these attacks are packed with what appears to be a custom packer.

According to Bitdefender, the Netrepser malware is delivered via spear-phishing emails that carry malicious documents.

One of the documents was titled “Russia Partners Drafting guidelines (for directors’ discussion),” but researchers also found files with Russian names that translated to “installation” and “Ural.” The malicious documents leverage macros to deliver the final payload in the form of JavaScript or JavaScript Encoded files.

The English-language document appeared to have been sent by Donald Spencer, a managing director of private equity investment firm Siguler Guff. One of the company’s founding partners, Drew Guff, gave a speech last year at the St. Petersburg International Economic Forum.

While Bitdefender has refrained from making any statement on attribution, the company pointed out that, in addition to documents, some file paths used by the malware are also written in Cyrillic script.

Related: Russian Cyberspies Use New Mac Malware to Steal Data

Related: U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

Related: Denmark Says Russia Hacked Defense Ministry Emails

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...