GOVERNMENT AGENCIES have been the target of a malware framework known as Netrepset since May 2016 in what could be part of a high-level cyber-espionage campaign.
That's according to researchers at security firm Bitdefender, which had initially looked into the malware last year. Its threat response team isolated several samples from the 'internal malware zoo', while looking into a custom file-packing algorithm. A deeper look into its telemetry revealed that the malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets - mostly government agencies.
The malware can be paired with advanced spear phishing techniques in a bid to collect intelligence, and this is why Bitdefender presumes it is part of a high-level campaign.
Bitdefender said that the unusual build of the malware could have easily made it pass for a regular threat, like many of those that organisations block on a daily basis. However, it's more complex than many of those threats as it has a repertoire of methods which it uses to steal information, including keylogging, password and cookie theft.
It is built using a recovery toolkit provided by Nirsoft, which Bitdefender suggested was a legitimate, yet controversial tool.
"The controversy stems from the fact that the applications provided by Nirsoft are used to recover cached passwords or monitor network traffic via powerful command-line interfaces that can be instructed to run completely covertly," said Bitdefender.
"For a long time now, the antimalware industry has flagged the tools provided by Nirsoft as potential threats to security specifically because they are extremely easy to abuse, and oversimplify the creation of powerful malware," it added.
But the security company emphasised that even though Netrepset malware uses free tools and utilities to carry out jobs, the combination of the complexity of the attack, and the targets involved, suggest that it is "more than a commercial-grade tool".
For example, the criminals behind the malware have even included a ‘killswitch' job to clean up after themselves after exfiltration.
"This option is key in establishing that this is not an opportunistic attack, but rather a well-designed espionage campaign with multiple redundancies and, ultimately, a way to deter forensic processes that might recover evidence," the company said.
The group behind the malware has compromised approximately 500 computers and exfiltrated an unknown number of documents, login credentials or other pieces of intelligence since May 2016.
Bitdefender said that because of the nature of the attacks, attribution was impossible, unless it digs into the realm of speculation. µ
Or it could be... you know... they just sold out
Liberties and EDRi created a landslide support letter
Choose your headshot carefully
Firm also claims its fingerprint tech outperforms Apple's Face ID