Decade-old NetTraveler Malware Used in Multi-National Attacks

APT Group Uses NetTraveler to Spy on Russian, European Victims

NetTraveler, a Trojan that is over a decade old, was recently observed in a series of cyber-espionage attacks launched against victims in Russia and neighboring European countries, Proofpoint researchers warn. Proofpoint believes the group is operating out of China.

Also known as TravNet, the malware was distributed via spear phishing emails that contained URLs to RAR-compressed executables and malicious Microsoft Word documents that attempted to exploit a 4-year old vulnerability in Office. The security flaw, tracked as CVE-2012-0158 and patched in 2012, is still used in numerous attacks, Sophos researchers revealed earlier this week.

The NetTraveler Trojan, used in this campaign against victims in Russia, Mongolia, Belarus, and other European countries, has been associated with numerous attacks launched by advanced persistent threat (APT) groups in the past. Back in 2013, Kaspersky Lab revealed a cyber-espionage campaign that hit targets in 40 countries with this piece of malware. Soon after, the actor moved to new servers and switched to targeting Uyghur activists.

In May this year, Kaspersky Lab revealed that a remote code execution vulnerability in Office, tracked as CVE-2015-2545, was abused by multiple APTs, including the group related to NetTraveler and DragonOK. Last week, Palo Alto Networks uncovered links between Chinese APT malware by analyzing MNKit, a document exploit generator, and NetTraveler’s name popped up as well.

Now, Proofpoint says that the China-based using NetTraveler in recent attacks might have also used Saker, Netbot, DarkStRat, and LURK0 Gh0st in its cyber-espionage activities. The group, which is usually focusing on organizations such as weapons manufacturers, human rights activists, and pro-democracy groups, among others, also employed PlugX for nefarious operations last year.

The actor was observed registering news and military lookalike sites that it uses for Command and Control (C&C) and for payload hosting. Before launching an attack, the actor finds a relevant article on a news topic such as nuclear energy, military training, or geopolitics, and uses it as a basis for the phishing lure, researchers explain.

The phishing emails sent to victims either include a link to RAR SFX-packaged executables that are hosted on look-alike domains, but which install NetTraveler. Other emails include a malicious Microsoft Word document as attachment. Designed to exploit CVE-2012-0158, these documents were built using MNKit and various builder artifacts are visible in the document. Depending on the targeted country, the actor switches lures and decoys accordingly.

The actor set up its domains with the same registrar in Beijing, referred to as “Shanghai Meicheng Technology Information Development Co., Ltd.,” but provided randomized information at registration (except for email addresses). According to Proofpoint researchers, the new campaign shows similarities with the PlugX campaign spotted last year, in terms of infrastructure.

The NetTraveler Trojan uses a DLL side-loading technique (a clean signed executable fsguidll.exe or RasTls.exe is used to sideload fslapi.dll or rastls.dll, respectively). The malware uses a configuration file with a known format.

Being used for over a decade for cyber-espionage, NetTraveler continues to prove a powerful threat, demanding increased vigilance and technological protections, researchers say. Historically, the Trojan was used to target government agencies, nuclear power installations, and many other victims, and the China-based actor has now switched to interests in Russia and neighboring countries.

“Regardless of the TTPs, this ongoing APT points to the staying power of NetTraveler and the need for ongoing vigilance and technological protections against advanced persistent threats. Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,” Proofpoint says.