Cybercriminals Put More Muscle Behind Travnet Botnet


The cybercriminals behind the Travnet botnet, known for its ability to steal large files including Microsoft Office files and PDFs, are aggressively bolstering its infrastructure and actively improving the malware and command and control capabilities behind the threat.

The Travnet Trojan, which was detected in March targeting a patched Microsoft Office vulnerability, searches for all document files on a victim's machine and uploads them to a remote server. McAfee researchers said Travnet had been able to evade detection from firewalls and intrusion detection and prevention systems by encrypting data before uploading it.

The latest iteration of Travnet adds a new compression algorithm, a new list of files to steal and improved control commands, wrote Umesh Wanve, a McAfee researcher who analyzed the threat. Travnet installs a remote administration tool that gives the attacker complete control over a victim's machine, Wanve wrote.

[Related: Microsoft: Don't Be Fooled By The Cool Exploit Kit]

In addition to bolstering Travnet and its payload capabilities, the attackers behind the targeted campaign are aggressively updating the files used to generate commands to the botnet.

"The attackers behind Travnet are very active," Wanve wrote. "We have also seen that the attackers are actively restoring previous domains that were down and .asp files so that they can continue to collect data from previously infected machines."

Once a victim's machine has been infected, the malware detects the running processes on the machine, steals, compresses and encrypts the documents it seeks, and then uploads them to a remote server. Then the remote administration tool is installed, which sends information about the machine in encrypted format.

McAfee researchers have detected the presence of Chinese strings in the malware code, leading them to believe it is part of a broader campaign to steal intellectual property and eavesdrop on specific individuals.

"We believe that huge amounts of data have been stolen from victims whose machines were infected with Travnet," Wanve wrote. "We suspect the attackers are using the initial data -- computer information, IPs -- to steal sensitive data from a particular group or identity."

The Travnet Trojan spreads through malicious email attachments. It exploits the same Microsoft Office vulnerability as the Red October cyberespionage campaign, which targeted organizations in Russia, Kazakhstan and the U.S. The attackers in that campaign also were aggressive, creating more than 60 domain names and maintaining several server hosting locations, according to analysis conducted by Kaspersky Lab.

Both campaigns are being actively monitored by security researchers. The Red October attackers also made the command and control servers resistant to takeover. The malware toolkit contains 30 different modules and has been active for at least five years. In addition to being able to hijack files from removable drives, the Red October campaign became known for its ability to steal data from mobile devices.

PUBLISHED MAY 14, 2013