Inside Netrepser – a JavaScript-based targeted attack

Thursday 5 October 16:00 - 16:30, Red room

Cristina Vatamanu (Bitdefender)
Adrian Schipor (Bitdefender)
Alexandru Maximciuc (Bitdefender)

Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers run low under the radar for a considerable period of time, allowing them to operate unrestricted in the victim's environment. These kinds of attacks are usually custom-made with just enough features to enable them to carry out the attacks for which they have been designed.

The piece of malware presented in this paper, Netrepser, uses quite an array of methods to steal valuable and specific information from specific victims. It is built around a legitimate, yet controversial recovery toolkit provided by NirSoft. The cybercriminals manage to play the simplicity card to better blend in with the environment.

We have isolated and dissected the malware in order to better understand its early stages. This paper will detail its method of distribution through advanced spear-phishing techniques, its communication with the C&C servers, the JavaScript payloads used in the attack, the methods of collecting intelligence and exfiltrating it systematically, the tools used, the methods of obfuscation deployed to avoid detection and, ultimately, the impact it has on the victim's data. Analysing this piece of malware, observing its primary focus, the number of victims and the data it gathers, we presume that this targeted attack is part of a cyber-espionage campaign.



Cristina Vatamanu

Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi'. She has worked at Bitdefender for almost eight years. Some of her responsibilities (and hobbies) include reverse engineering, exploit analysis, and automated systems.




Adrian Schipor

Adrian Schipor has worked at Bitdefender for four years and is passionate about reverse engineering, exploits and cryptography. He is also currently studying for a Ph.D. in cryptography at the 'Alexandru Ioan Cuza' University of Iasi.




Alexandru Maximciuc

Alexandru Maximciuc is passionate about reverse engineering, likes Perl and Go, and studied mathematics. He has been working at Bitdefender for ten years, and he really enjoys fighting malware.








Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.