Last month, I spoke about Hypertotal (framework to identify actors abusing Virustotal) and since then, nothing has changed (no surprises there). For over 2 years now, I have watched the NetTraveler actors use Virustotal as a records retention utility (at least it appears that way) and aside from all the normal indicators you would expect, it appears they have leaked a bit of their operational process in terms of compromising email through their uploaded files. I can’t be 100% sure of my theory, but I will outline what I found below and leave it at that.
Since February 23, 2009 up until today (March 20, 2014), actors involved in the NetTravler operations have uploaded over 800 samples. These samples include stolen email, implanted files, decoy documents and malicious payloads. What I found interesting about a subset of these uploads was the naming convention used to describe the file uploaded for analysis. On more than one occasion, I noticed the following pattern, “<username> <mail location><uid>.eml” which in practice would look like the following, “rtyctashiling Inbox8849.eml”. Doing a quick analysis of the file, I could see it was an email from the user “firstname.lastname@example.org” and pulled from their inbox using IMAP (UUID appended to the email headers and located in the filename).
After noticing the pattern, I began to search for more examples. In total, I have about 100 or so files that follow this pattern. Besides “Inbox”, I also found names with “Trash” and “Sent”, implying that actors were pulling down the entire inbox to their system and searching through it for good phishing material. In two cases in particular, an actor’s directory path was appended to the filenames and revealed an organized set of folders for targets. Directory paths implied focus on certain targets and appeared to also denote importance. Two examples of interest were — C:\Documents and Settings\Administrator\桌面\重要\流亡议会议员莫格鲁登帕（Mogru Tenpa）\mogrut Inbox9686.eml and C:\Documents and Settings\Administrator\桌面\06192000\台湾西藏办公室\HH Karmapa Book Launched by Aruna Roy.eml.
Based on my observations, I believe the following procedure is used by the NetTraveler actors to phish their victims:
- Send a phishing email to a group of targets
- Successfully compromise the email account (XSS bug or implanted attachment)
- Use IMAP to download all the email from the account and label the files (could be automatic) with the above name scheme
- Identify clean messages from the account and implant the existing attachments
- Re-attach the malicious attachments from the original mail and send it to new victims who weren’t on the first recipient list
As an example of this in action, at the end of December 2012, NetTraveler attackers compromised the email inbox of a reporter for a Tibet news organization and maintained access until at least the end of June of 2013. On June 18th, the reporter was one of roughly 250 recipients on an email from the Karmapa Office of Administration with three attachments describing an upcoming press release as seen in the screenshot above.
NetTraveler actors downloaded the email one day later using IMAP from reporter’s inbox and implanted all three attachments with their tools. They then copied the original body of the email, spoofed the sending address to match the original sender and sent the malicious email to the Office of Tibet Taiwan as seen in the screenshot above. It’s not clear whether or not the attack were successful, but it should be noted that the Office of Tibet Taiwan was not on the original list of recipients of the clean email.
The process outlined above is not new, but it shows a level of thought and effort that most attackers wouldn’t go through. Every day, these actors continue to use recent events from all over the world to help craft legitimate looking emails. If my theory of uploaded email is true, then over 30 different email accounts have been compromised and accessed over the course of several years. While that number sounds low, think of all the material and trust relationships that could be abused for future operations.