BSidesSF 2018

The discovery of Stuxnet in a uranium enrichment facility in Natanz opened a new era in tactical military operations. For seven years, advanced espionage and sabotage operations have been carried out with the help of extremely complex code written especially for the job, and then discarded.

The Netrepser threat we have analyzed and documented in the following pages is the exact opposite: a complex, targeted malware framework that, unlike a military-grade APT, is “stitched together” with freeware utilities to carry a complex job through to completion. The approach the team behind Netrepser took is extremely unusual for an espionage campaign: they play the simplicity card to better blend in with the environment, even at the cost of triggering alarms.

Netrepser is the perfect example of a very advanced espionage tool used to target a number of high-profile institutions and exfiltrate information in a novel way. We have isolated and dissected it to better understand its early stages, its communication techniques and, ultimately, its impact on the victim’s data.