A report published by Bitdefender on Friday details a previously undocumented cyber espionage campaign that leverages a piece of malware dubbed “Netrepser” to target government organizations.
The first Netrepser malware samples were discovered by the security firm in May 2016. No information has been shared on the location of the targets, but researchers determined, based on data from the threat’s command and control (C&C) infrastructure, that the malware had infected more than 500 machines. Most of the victims are government agencies.
Bitdefender told SecurityWeek that the attacks are ongoing, and the company has not found any evidence linking this campaign to other threat actors.
The Netrepser Trojan is mainly designed for intelligence gathering, and it allows attackers to collect system information, email and instant messaging passwords, session cookies and passwords from web browsers, and keystrokes.
“Paired with advanced spear phishing techniques and the malware’s primary focus to collect intelligence and exfiltrate it systematically, we presume that this attack is part of a high-level cyber-espionage campaign,” Bitdefender said in its report.
Researchers pointed out that while the attack is complex, the Netrepser malware relies heavily on free tools to carry out various tasks. Experts determined that much of its functionality is provided by a controversial recovery toolkit from Nirsoft, which many antimalware vendors have flagged due to the fact that it can easily be abused for malicious purposes.
For example, Nirsoft email and instant messaging password recovery tools are used by the Netrepser malware to steal email and IM passwords. Another Nirsoft utility is used by the Trojan to steal passwords stored in browsers.
The list of legitimate tools abused by Netrepser also includes WinRAR, used to compress stolen data before exfiltration, and SDelete from Sysinternals, which is used to delete files likely in an effort to prevent the recovery of forensic evidence. Researchers noted that nearly all third-party tools used in these attacks are packed with what appears to be a custom packer.
According to Bitdefender, the Netrepser malware is delivered via spear-phishing emails that carry malicious documents.
One of the documents was titled “Russia Partners Drafting guidelines (for directors’ discussion),” but researchers also found files with Russian names that translated to “installation” and “Ural.” The malicious documents leverage macros to deliver the final payload in the form of JavaScript or JavaScript Encoded files.
The English-language document appeared to have been sent by Donald Spencer, a managing director of private equity investment firm Siguler Guff. One of the company’s founding partners, Drew Guff, gave a speech last year at the St. Petersburg International Economic Forum.
While Bitdefender has refrained from making any statement on attribution, the company pointed out that, in addition to documents, some file paths used by the malware are also written in Cyrillic script.
Related: Russian Cyberspies Use New Mac Malware to Steal Data
Related: U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack