Press Release

NetTraveler is Back: The Red Star APT Returns With New Tricks

Kaspersky Lab Global Research and Analysis Team Announces New Attack Vector of NetTraveler

Woburn, MA – September 3, 2013 researchers today announced a new attack vector of NetTraveler (also known as “Travnet”, “Netfile” or Red Star APT), an advanced persistent threat that has already infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

Immediately after
the public exposure of the NetTraveler operations in June, 2013, the attackers shut down all known command and control systems and moved them to new servers in China, Hong Kong and Taiwan. They also continued the attacks unhindered, just like the current case shows.

Over the last few days, several spear-phishing e-mails were sent to multiple Uyghur activists. The Java exploit used to distribute this new variant of the Red Star APT was only recently patched in June 2013 and has a much higher success rate. The earlier attacks have used Office exploits (CVE-2012-0158) that was patched by Microsoft last April.

In addition to the use of spear-phishing e-mails, APT operators have adopted the watering hole technique (web redirections and drive-by downloads on rigged domains) to infect victims surfing the web.

Over the last month, Kaspersky Lab intercepted and blocked a number of infection attempts from the “wetstock[dot]org” domain, which is a known site linked to previous NetTraveler attacks. These redirections appear to come from other Uyghur-related websites that were compromised and infected by the NetTraveler attackers.

Kaspersky Lab’s Global Research and Analysis Team (GReAT) experts predict that other recent exploits could be integrated and used against the group’s targets and offer recommendations on how to stay safe from such attacks, including:

●        Update Java to the most recent version or, if you don’t use Java, uninstall it.

●        Update Microsoft Windows and Office to the latest versions.

●        Update all other third party software, such as Adobe Reader.

●        Use a secure browser such as Google Chrome, which has a faster development and patching cycle than
  Windows’ default Internet Explorer.

●        Be wary of clicking on links and opening attachments from unknown persons.

Quotes
Costin Raiu, Director of Global Research & Analysis Team
Kaspersky Lab
“So far, we haven’t observed the use of zero-day vulnerabilities with the NetTraveler group. To defend against those, although patches don’t help, but technologies such as Automatic Exploit Prevention and DefaultDeny can be quite effective fighting advanced persistent threats.”

To get more information about NetTraveler new attack, please refer to
securelist.com.

About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contacts
Susan Rivera 
781.503.5211
Susan.rivera@kaspersky.com