APT Group Uses NetTraveler to Spy on Russian, European Victims
NetTraveler, a Trojan that is over a decade old, was recently observed in a series of cyber-espionage attacks launched against victims in Russia and neighboring European countries, Proofpoint researchers warn. Proofpoint believes the group is operating out of China.
Also known as TravNet, the malware was distributed via spear phishing emails that contained URLs to RAR-compressed executables and malicious Microsoft Word documents that attempted to exploit a 4-year old vulnerability in Office. The security flaw, tracked as CVE-2012-0158 and patched in 2012, is still used in numerous attacks, Sophos researchers revealed earlier this week.
The NetTraveler Trojan, used in this campaign against victims in Russia, Mongolia, Belarus, and other European countries, has been associated with numerous attacks launched by advanced persistent threat (APT) groups in the past. Back in 2013, Kaspersky Lab revealed a cyber-espionage campaign that hit targets in 40 countries with this piece of malware. Soon after, the actor moved to new servers and switched to targeting Uyghur activists.
In May this year, Kaspersky Lab revealed that a remote code execution vulnerability in Office, tracked as CVE-2015-2545, was abused by multiple APTs, including the group related to NetTraveler and DragonOK. Last week, Palo Alto Networks uncovered links between Chinese APT malware by analyzing MNKit, a document exploit generator, and NetTraveler’s name popped up as well.
Now, Proofpoint says that the China-based using NetTraveler in recent attacks might have also used Saker, Netbot, DarkStRat, and LURK0 Gh0st in its cyber-espionage activities. The group, which is usually focusing on organizations such as weapons manufacturers, human rights activists, and pro-democracy groups, among others, also employed PlugX for nefarious operations last year.
The actor was observed registering news and military lookalike sites that it uses for Command and Control (C&C) and for payload hosting. Before launching an attack, the actor finds a relevant article on a news topic such as nuclear energy, military training, or geopolitics, and uses it as a basis for the phishing lure, researchers explain.
The phishing emails sent to victims either include a link to RAR SFX-packaged executables that are hosted on look-alike domains, but which install NetTraveler. Other emails include a malicious Microsoft Word document as attachment. Designed to exploit CVE-2012-0158, these documents were built using MNKit and various builder artifacts are visible in the document. Depending on the targeted country, the actor switches lures and decoys accordingly.
The actor set up its domains with the same registrar in Beijing, referred to as “Shanghai Meicheng Technology Information Development Co., Ltd.,” but provided randomized information at registration (except for email addresses). According to Proofpoint researchers, the new campaign shows similarities with the PlugX campaign spotted last year, in terms of infrastructure.
The NetTraveler Trojan uses a DLL side-loading technique (a clean signed executable fsguidll.exe or RasTls.exe is used to sideload fslapi.dll or rastls.dll, respectively). The malware uses a configuration file with a known format.
Being used for over a decade for cyber-espionage, NetTraveler continues to prove a powerful threat, demanding increased vigilance and technological protections, researchers say. Historically, the Trojan was used to target government agencies, nuclear power installations, and many other victims, and the China-based actor has now switched to interests in Russia and neighboring countries.
“Regardless of the TTPs, this ongoing APT points to the staying power of NetTraveler and the need for ongoing vigilance and technological protections against advanced persistent threats. Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,” Proofpoint says.
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
