Netrepser is a JavaScript (JavaScript ≠ Java) Trojan designed for espionage purposes. This was detected and reported by Bitdefender on May 5, 2017. Believed to be of Russian origin, the common distribution of this Trojan is by Email. However, its JavaScript nature suggests that this may be able to cause infections in web-based “Drive-By Download” fashion as well.
Bitdefender asserts that *most* (but not all) victims have been government entities. However, based upon a very recent hack of a local security company, I believe that this is Trojan “in the wild“. One unique characteristic of this Trojan is its use of Nirsoft utilities to steal all kinds of passwords (local and network), and perform network monitoring and keylogging.
Nirsoft is one of those “White Hat/Black Hat” companies. I use products from Nirsoft to support forensic efforts although make no mistake, they are not liked by Bitdefender. Nirsoft themselves provide a listing of password storage locations for popular Windows programs, although a little dated.
In the case of this small local company, Nirsoft’s “MailPass View” was likely invoked Their stolen Email credentials were used by IP addresses originating in Ukraine to send out spam and malware. Note that Email account usernames and passwords don’t bring great value, but they are aggregated and traded on the “dark web“.
Bitdefender’s Introduction can be found here: https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/.
Bitdefender’s Detailed PDF whitepaper can be downloaded here: https://labs.bitdefender.com/wp-content/uploads/downloads/inside-netrepser-a-javascript-based-targeted-attack/.
A locally cached version of Bitdefender’s PDF can be found here.