Researchers at Kaspersky Lab revealed that they have discovered a new attack vector for NetTraveler – an attack campaign that has infected hundreds of victims across more than 40 countries.
First revealed publicly in June, NetTraveler’s targets have included the oil industry, universities, government institutions and Tibetan/Uyghur activists. After the operation was publicly exposed, the attackers immediately shut down all the known command and control (C&C) systems and moved them to new servers in China, Taiwan and Hong Kong and continued their attacks.
According to Kaspersky Lab, during the past few days, spear-phishing emails were sent to multiple Uyghur activists that included a Java exploit used to infect users with a new variant of the NetTraveler malware. The move was a change from previous attacks, which targeted Microsoft Office (CVE-2012-0158).
In a blog post, Kaspersky Lab Director of Global Research and Analysis Costin Raiu explained that the spear-phishing emails contain a link to a page that appears to be on the World Uyghur Congress website. The real page link however leads to a known NetTraveler domain.
“This simple HTML loads and runs a Java applet named “new.jar” (c263b4a505d8dd11ef9d392372767633),” he blogged. “The “new.jar” is an exploit for CVE-2013-2465, a very recent vulnerability in Java versions 5, 6 and 7, that was fixed by Oracle in June 2013. It’s detected and blocked by Kaspersky products generically as “HEUR:Exploit.Java.CVE-2013-2465.gen”.”
On top of the spear-phishing emails, the attackers have set up watering holes to trap victims as well. During the past month, Kaspersky Lab said it has intercepted and blocked infection attempts from the wetstock.org domain – a site linked to previous NetTraveler attacks. The redirections appear to come from another Uyghur-related website belonging to the Islamic Association of Eastern Turkistan.
The firm recommends users update Java and other third-party software to the most recent version, and be wary of clicking on links or opening attachments from unknown parties.
“So far, we haven’t observed the use of zero-day vulnerabilities with the NetTraveler group,” Raiu said in a statement. “To defend against those, although patches don’t help, but technologies such as Automatic Exploit Prevention and DefaultDeny can be quite effective fighting advanced persistent threats.”