NetTraveler is a malware family that has been associated with APT campaigns against high profile victims in different countries. In this blog post, we will discuss how to detect the beaconing activity of one its variants using RSA Security Analytics.
When this NetTraveler variant hits a machine, it enumerates all the files on the system as well as the running processes. The data is encoded and saved to the victim machine. In addition, the binary collects basic system information for identification purposes. Once it is ready, it starts communicating with its C2 server as follows:
hostid is the volume serial number as returned by the GetVolumeInformation system call
filename has the creation timestamp of the file with the encoded process list
filetext has the encoded process list between the two tokens begin:: and ::end
And this how the traffic looks in Security Analytics Investigator:
Assuming the appropriate meta keys are enabled, the following query can be used to detect NetTraveler network activity: