In between FIRST conference and a couple beers, I stumbled upon an email uploaded to Virustotal. The file itself is an EML and has the name of “CIA’s _prism Watchlist_.eml”. Inside the email, the content is the following:
It appears the intended recipient of the malicious mail was a yahoo account linked to the Regional Tibet Youth Congress in Mundgod, India. What’s amusing is the sender address which makes an attempt to be Jill Kelley, the woman who kicked off that crazy FBI investigation fiasco a couple months back. The attachment is a Word document labeled “Monitored List 1.doc”, exploiting the always favored CVE-2012-0158 and can be tied back to the same actors involved in the NetTraveler campaigns brought to light by Kaspersky. It’s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed. Again, this sort of behavior shows poor operational security or a complete lack of care.
Not having an analysis machine means I couldn’t obtain any command and control data, but Malwr.com was kind enough to give some information back. The report notes several files being written to the system including “dw20.exe”, a favorite name for processes by these actors, “memshare.dat” and “ntshrui.dll”. Whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008’s and I doubt they will be stopping anytime soon.
And now back to the conference!