Home Hot TopicsSecurity NetTraveler Gets a Makeover for 10th Anniversary

NetTraveler Gets a Makeover for 10th Anniversary

by CioAxis

In 2014 the actors behind global cyberespionage campaign “Operation NetTraveler” celebrate ten years of activity. Although the earliest samples appeared to have been compiled in 2005, certain indicators point to 2004 as the year when the malicious activity started. For 10 years, NetTraveler has targeted more than 350 high-profile victims in 40 countries. This year Kaspersky Lab observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor with a new encryption scheme. During the investigation, Kaspersky Lab discovered seven C&C servers located in Hong Kong and one – in the USA.

Recent NetTraveler victims by industries

Most recently, the main focus of interest for cyber-espionage activities revolved around diplomatic (32%), government (19%), private (11%), military (9%), industrial and infrastructure (7%), airspace (6%), research (4%), activism (3%), financial (3%), IT (3%), health (2%) and press (1%).

Infection method: a “newer” backdoor

Traditionally for this malicious group, the attacks started with spear-phishing e-mails targeted activists. The e-mail had two attachments, a non-malicious JPG file and a Microsoft Word .DOC file appeared to be a container with an exploit for the CVE-2012-0158 vulnerability for Microsoft Office. Kaspersky Lab determined that this malicious web archive file has been created on a system using Microsoft Office – Simplified Chinese.

If run on a vulnerable version of Microsoft Office, the exploit drops the main module – Trojan-Spy. The malware configuration file has a slightly new format compared to “older” NetTraveler samples. Obviously, the developers behind NetTraveler have taken steps to try to hide the malware’s configuration.

After the successful injection, NetTraveler exfiltrates common file types such as DOC, XLS, PPT, RTF and PDF.


Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads