Kaspersky Lab has observed a rise in attacks with an updated version of the “red star” APT backdoor
Woburn, MA – August 27, 2014 - This year the actors behind the global cyberespionage campaign “Operation NetTraveler” celebrate 10 years of activity. Although the earliest samples appeared to have been compiled in 2005, certain indicators point to 2004 as the year when the malicious activity started. For 10 years, NetTraveler has targeted more than 350 high-profile victims in 40 countries. In 2014, Kaspersky Lab observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor with a new encryption scheme. During the investigation, Kaspersky Lab discovered seven command and control (C&C) servers located in Hong Kong and one in the USA.
Recent NetTraveler victims by industries
Most recently, the main focus of interest for cyber-espionage activities revolved around diplomatic (32%), government (19%), private (11%), military (9%), industrial and infrastructure (7%), airspace (6%), research (4%), activism (3%), financial (3%), IT (3%), health (2%) and press (1%).
Infection method: a “newer” backdoor
Traditionally for this malicious group, the attacks began with spear-phishing emails that targeted activists. The email had two attachments, a non-malicious JPG file and a Microsoft Word .DOC file, which appeared to be a container with an exploit for the CVE-2012-0158 vulnerability for Microsoft Office. Kaspersky Lab determined that this malicious Web-archive file had been created on a system using Microsoft Office - Simplified Chinese.
Now, if it’s run on a vulnerable version of Microsoft Office, the exploit drops the main module – Trojan-Spy. The malware configuration file now has a slightly newer format compared to “older” NetTraveler samples. Showcasing that the developers behind NetTraveler have taken steps to try and hide the malware’s configuration.
After the successful injection, NetTraveler exfiltrates common file types such as DOC, XLS, PPT, RTF and PDF.
The discovered C&C servers
Kaspersky Lab identified several C&C servers. Seven out of eight malicious C&C servers were registered by Shanghai Meicheng Technology, and the IPs are located in Hong Kong (Trillion Company, Hongkong Dingfengxinhui Bgp Datacenter, Sun Network Limited and Hung Tai International Holdings). The other was registered by Todaynic.com Inc. with the IP located in the USA (Integen Inc.).
“While investigating the NetTraveler attacks, we calculated the amount of stolen data stored on NetTraveler’s C&C servers to be more than 22 gigabytes. This is an ongoing cyber-espionage campaign and, according to the last attacks against the activists, it will probably stay this way perhaps for another ten years. The most sophisticated threats appeared on the surgical table of IT security companies not that long ago, but NetTraveler example shows that a disease could persist out of radar for long time” says Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.
Recommendations on how to stay safe from the updated NetTraveler malware:
- Block all malicious hosts in your firewall
- Update Microsoft Windows and Microsoft Office to the latest versions
- Be wary of clicking on links and opening attachments from unknown senders
- Use a secure browser such as Google Chrome, which has a faster development and patching cycle than Microsoft's Internet Explorer.
Kaspersky Lab’s products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit, including Trojan-Dropper.Win32.Agent.lifr, Trojan-Spy.Win32.TravNet, Trojan-Spy.Win32.TravNet.qfr, Trojan.BAT.Tiny.b and Downloader.Win32.NetTraveler.
Kaspersky Lab’s products detect the Microsoft Office exploits used in the spear-phishing attacks, including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158,Exploit.MSWord.CVE-2012-0158.db.
To learn more about the NetTraveler operation, please read the blog post available at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.