Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Decade-old NetTraveler Malware Used in Multi-National Attacks

APT Group Uses NetTraveler to Spy on Russian, European Victims

APT Group Uses NetTraveler to Spy on Russian, European Victims

NetTraveler, a Trojan that is over a decade old, was recently observed in a series of cyber-espionage attacks launched against victims in Russia and neighboring European countries, Proofpoint researchers warn. Proofpoint believes the group is operating out of China.

Also known as TravNet, the malware was distributed via spear phishing emails that contained URLs to RAR-compressed executables and malicious Microsoft Word documents that attempted to exploit a 4-year old vulnerability in Office. The security flaw, tracked as CVE-2012-0158 and patched in 2012, is still used in numerous attacks, Sophos researchers revealed earlier this week.

The NetTraveler Trojan, used in this campaign against victims in Russia, Mongolia, Belarus, and other European countries, has been associated with numerous attacks launched by advanced persistent threat (APT) groups in the past. Back in 2013, Kaspersky Lab revealed a cyber-espionage campaign that hit targets in 40 countries with this piece of malware. Soon after, the actor moved to new servers and switched to targeting Uyghur activists.

In May this year, Kaspersky Lab revealed that a remote code execution vulnerability in Office, tracked as CVE-2015-2545, was abused by multiple APTs, including the group related to NetTraveler and DragonOK. Last week, Palo Alto Networks uncovered links between Chinese APT malware by analyzing MNKit, a document exploit generator, and NetTraveler’s name popped up as well.

Now, Proofpoint says that the China-based using NetTraveler in recent attacks might have also used Saker, Netbot, DarkStRat, and LURK0 Gh0st in its cyber-espionage activities. The group, which is usually focusing on organizations such as weapons manufacturers, human rights activists, and pro-democracy groups, among others, also employed PlugX for nefarious operations last year.

The actor was observed registering news and military lookalike sites that it uses for Command and Control (C&C) and for payload hosting. Before launching an attack, the actor finds a relevant article on a news topic such as nuclear energy, military training, or geopolitics, and uses it as a basis for the phishing lure, researchers explain.

The phishing emails sent to victims either include a link to RAR SFX-packaged executables that are hosted on look-alike domains, but which install NetTraveler. Other emails include a malicious Microsoft Word document as attachment. Designed to exploit CVE-2012-0158, these documents were built using MNKit and various builder artifacts are visible in the document. Depending on the targeted country, the actor switches lures and decoys accordingly.

The actor set up its domains with the same registrar in Beijing, referred to as “Shanghai Meicheng Technology Information Development Co., Ltd.,” but provided randomized information at registration (except for email addresses). According to Proofpoint researchers, the new campaign shows similarities with the PlugX campaign spotted last year, in terms of infrastructure.

The NetTraveler Trojan uses a DLL side-loading technique (a clean signed executable fsguidll.exe or RasTls.exe is used to sideload fslapi.dll or rastls.dll, respectively). The malware uses a configuration file with a known format.

Being used for over a decade for cyber-espionage, NetTraveler continues to prove a powerful threat, demanding increased vigilance and technological protections, researchers say. Historically, the Trojan was used to target government agencies, nuclear power installations, and many other victims, and the China-based actor has now switched to interests in Russia and neighboring countries.

“Regardless of the TTPs, this ongoing APT points to the staying power of NetTraveler and the need for ongoing vigilance and technological protections against advanced persistent threats. Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,” Proofpoint says.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.