Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Upgrades to Travnet Botnet Gives Attackers Full Control of Infected Systems

Cyber-criminals are actively updating the Travnet malware and improving the botnet’s infrastructure to boost its document-stealing capabilities, researchers found.

Cyber-criminals are actively updating the Travnet malware and improving the botnet’s infrastructure to boost its document-stealing capabilities, researchers found.

The latest version of the Travnet Trojan now features a new compression algorithm, a new list of files to search for and steal, and compiles a list of all running processes, Umesh Wanve, a principal research engineer at McAfee, wrote on the McAfee Labs blog this week. Travnet now also installs the PCRat remote administration tool (RAT) to give attackers full control over the victim machine.

The updated malware now searches the compromised machine for Office documents, PDF files, drawings created by CAD and CorelDraw applications, and source code files. The targeted file extensions are .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf, .pdf, .dwg, .cdw, and .cdr. The malware also looked for source code files with the .c extension, Wanve said.

The file pathnames are written to an index.ini file. All the files are compressed, encrypted, and then transferred to a remote server, Wanve said.

“Thus the malware steals of the important files from the victim’s machine,” Wanve wrote.

Originally detected in March, the Travnet Trojan used a variant of the Lempel–Ziv–Storer–Szymanski (LZSS) algorithm to compress the data and then encoded the information using custom Base64, Wanve said. With the old Travnet, it was fairly straightforward to read the output of the compression but the new Travnet binary modified the algorithm used for compression, making it harder to decompress the data, Wanve said.

The attackers have updated the main binary and are randomly generating the .asp files that control the bot from their control servers. It appears they are also restoring previous domains that were down and .asp files so that they can continue to collect data from previously infected machines, Wanve said.

The updated Travnet also collects the list of running processes on the system before transferring the encrypted file to a remote server. The old Travnet bot initially stole a lot more information about the machine such as IP configuration details, username, operating system, and computer name, Wanve noted.

Advertisement. Scroll to continue reading.

Once the stolen documents have been uploaded, the control server instructs Travnet to download PCRat, a RAT written in Chinese. PCRat connects to a different remote control server on a different port, and then sends even more information about the machine in an encrypted format, Wanve said. Unlike the Travnet binary, which essentially had only two commands (uninstall and upload), PCRat is capable of executing a longer list of commands.

“With the help of PCRat, the Travnet botnet takes full controls of a victim’s machine,” Wanve said.

In an analysis back in April, McAfee researchers detected Chinese strings in Travenet’s source code, leading them to conclude that Travnet was being used as part of a targeted attack to steal sensitive data, and that “huge amounts of data” have already been stolen from victims.

“We suspect the attackers are using the initial data—computer information, IPs—to steal sensitive data from a particular group or identity,” Wanve wrote.

McAfee researchers believe that victims are being infected with Travnet via malicious email messages. The Trojan targets various vulnerabilities in Microsoft Office, including CVE-2010-333, a flaw which was also exploited by the cyber-gang behind Red October. Travnet does not appear to be targeting any zero-days at this point, but vulnerabilities which have already been patched. Some Travnet samples have been active since 2009, McAfee said.

“The attackers behind Travnet are very active,” Wanve wrote.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.