Cyberspies tap free tools to make powerful malware framework

The Netrepser cyberespionage group managed to infect hundreds of computers belonging to government agencies and organisations.

Over the past year, a group of attackers has managed to infect hundreds of computers belonging to government agencies with a malware framework stitched together from JavaScript code and publicly available tools.

The attack, analyzed by researchers from antivirus firm Bitdefender, shows that cyberespionage groups don't necessarily need to invest a lot of money in developing unique and powerful malware programs to achieve their goals. In fact, the use of publicly available tools designed for system administration can increase an attack's efficiency and makes it harder for security vendors to detect it and link it to a particular threat actor.

The Bitdefender researchers have dubbed the newly discovered attack group Netrepser and traced back some of its attack campaigns to May 2016. The group is still active, but to Bitdefender's knowledge its attacks have never been publicly documented before, which might be in part because its campaigns are highly targeted.

After analyzing the way in which Netrepser's command-and-control server assigns unique tracking IDs to infections, the Bitdefender researchers believe that the attack group has compromised around 500 computers to date. The vast majority of those systems belong to government agencies and organizations, indicating that Netrepser's goal is cyberespionage, not financially motivated cybercrime.

Bitdefender declined to disclose the countries whose government agencies have been targeted, but some of the spear-phishing emails sent by the cyberespionage group contained malicious Microsoft Office documents with Russian names and text. This doesn't necessarily limit attacks to Russia, because the Russian language is used in many former Soviet Union member countries.

The rogue documents had malicious macros embedded in them and contained instructions for users to allow the execution of that code. This is a common malware distribution technique that has been used in many attacks over the past few years.

Once executed, the macros drop an obfuscated JavaScript file with a .JS or .JSE extension that is executed natively on Windows through the Windows Script Host (WScript.exe). The code also creates registry start-up entries or scheduled tasks, depending on the Windows version, to ensure that the JS or JSE script is executed after every system reboot.

JavaScript code makes up the core of Netrepser's malware platform. It handles communication with the command-and-control server and downloads additional components based on commands received from it. It can also execute shell commands via cmd.exe to get information about the system, list running processes or enumerate files in directories.

The malware's modules are actually free tools used by system administrators. For example, Netrepser downloads and installs the WinRAR archiving utility, which it then uses to compress and password-protect stolen information before extracting it from an infected computer.

