Cyber-criminals are actively updating the Travnet malware and improving the botnet’s infrastructure to boost its document-stealing capabilities, researchers found.
The latest version of the Travnet Trojan now features a new compression algorithm, a new list of files to search for and steal, and compiles a list of all running processes, Umesh Wanve, a principal research engineer at McAfee, wrote on the McAfee Labs blog this week. Travnet now also installs the PCRat remote administration tool (RAT) to give attackers full control over the victim machine.
The updated malware now searches the compromised machine for Office documents, PDF files, drawings created by CAD and CorelDraw applications, and source code files. The targeted file extensions are .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf, .pdf, .dwg, .cdw, and .cdr. The malware also looked for source code files with the .c extension, Wanve said.
The file pathnames are written to an index.ini file. All the files are compressed, encrypted, and then transferred to a remote server, Wanve said.
“Thus the malware steals of the important files from the victim’s machine,” Wanve wrote.
Originally detected in March, the Travnet Trojan used a variant of the Lempel–Ziv–Storer–Szymanski (LZSS) algorithm to compress the data and then encoded the information using custom Base64, Wanve said. With the old Travnet, it was fairly straightforward to read the output of the compression but the new Travnet binary modified the algorithm used for compression, making it harder to decompress the data, Wanve said.
The attackers have updated the main binary and are randomly generating the .asp files that control the bot from their control servers. It appears they are also restoring previous domains that were down and .asp files so that they can continue to collect data from previously infected machines, Wanve said.
The updated Travnet also collects the list of running processes on the system before transferring the encrypted file to a remote server. The old Travnet bot initially stole a lot more information about the machine such as IP configuration details, username, operating system, and computer name, Wanve noted.
Once the stolen documents have been uploaded, the control server instructs Travnet to download PCRat, a RAT written in Chinese. PCRat connects to a different remote control server on a different port, and then sends even more information about the machine in an encrypted format, Wanve said. Unlike the Travnet binary, which essentially had only two commands (uninstall and upload), PCRat is capable of executing a longer list of commands.
“With the help of PCRat, the Travnet botnet takes full controls of a victim’s machine,” Wanve said.
In an analysis back in April, McAfee researchers detected Chinese strings in Travenet’s source code, leading them to conclude that Travnet was being used as part of a targeted attack to steal sensitive data, and that “huge amounts of data” have already been stolen from victims.
“We suspect the attackers are using the initial data—computer information, IPs—to steal sensitive data from a particular group or identity,” Wanve wrote.
McAfee researchers believe that victims are being infected with Travnet via malicious email messages. The Trojan targets various vulnerabilities in Microsoft Office, including CVE-2010-333, a flaw which was also exploited by the cyber-gang behind Red October. Travnet does not appear to be targeting any zero-days at this point, but vulnerabilities which have already been patched. Some Travnet samples have been active since 2009, McAfee said.
“The attackers behind Travnet are very active,” Wanve wrote.