Toward the finish of September 2017, Palo Alto distributed an investigate Unit42, which likewise managed the malevolent PYLOT program. Kaspersky Lab authorities write that this secondary passage is known to them since 2015 under the name Travle. In addition, the organization as of late partook in the examination of an effective assault utilizing Travle, amid which a point by point danger investigation was done. Therefore, Kaspersky Lab experts chose to supplement Palo Alto's discoveries by distributing their own particular report.
Malware was named Travle in light of the fact that in the early code tests of this family the accompanying line was discovered: "Travle Path Failed!". Afterward, a misprint was amended, in the new forms there was at that point a line "Travel Path Failed!".
Analysts trust that Travle can be the successor of another known group of malware, NetTraveler . Amid the investigation of focused phishing assaults, specialists found a great deal of malevolent reports whose names infer Russian-dialect objectives, with encoded executable documents inside:
This method for encryption has for some time been notable, specifically, at first with its assistance, aggressors veiled in documents with exploits of the backdoor Enfal . Before long such reports were likewise found by Enfal, as well as by Travle, and even later by the Microcin . For this situation, the areas of the Travle administration servers regularly converge with the Enfal spaces. With respect to NetTraveler, eventually Enfal's examples started to utilise a similar encryption technique to store the address of the administration server that was utilised as a part of NetTraveler:
This proposes Enfal, NetTraveler, Travle and Microcin are identified with each other and, apparently, have Chinese roots.
Information trade with the administration server secondary passage Travle starts with sending the data to the administrators about the objective working framework. Information exchange happens by means of the HTTP POST ask for to the address shaped from the administration server area and determined in the way parameters. Malvar educates aggressors the accompanying information:
- user ID (based on the name and IP address of the computer);
- computer name;
- keyboard layout;
- OS version;
- IP address;
- The MAC address.
Accordingly, the administration server illuminates the secondary passage of the way to receive charges and sending reports about the summons executed, the ways for downloading and sending documents, and additionally the RC4 keys and the C and C ID. For this situation, the encryption calculation relies upon the kind of articles being exchanged.
Travle can play out an assortment of assignments: check the record framework; execute forms; seek, erase, rename and move particular documents; make new setup documents; Process records in group mode and run a cluster content; download and send records; download and run modules, and furthermore empty them from memory and erase them.
All in all, the specialists take note of that the culprits in charge of Travle assaults have been working for quite a while, and they couldn't care less that they can be followed by antivirus organizations. The thing is that generally all alterations and new augmentations to the armory of these programmers are found rapidly. Be that as it may, amid every one of these years, the assailants did not have to change their strategic strategies and methods.
These secondary passages are utilized fundamentally in the CIS district, against government associations, associations and organizations somehow identified with the military and the advancement of weapons, organizations occupied with innovative research. As per examiners, this shows even associations of this level have far to go to actualize propelled techniques for data security and successfully oppose focused on assaults.