has observed a rise in attacks with an updated version of the “red star” APT
Woburn, MA –
August 27, 2014 - This year the actors behind the global cyberespionage campaign “Operation NetTraveler” celebrate 10
years of activity. Although the earliest samples
appeared to have been compiled in 2005, certain indicators point to 2004 as the
year when the malicious activity started. For 10 years, NetTraveler has
targeted more than 350 high-profile victims in
40 countries. In 2014, Kaspersky Lab observed an uptick in the number of
attacks against Uyghur and Tibetan supporters using an updated version of the
NetTraveler backdoor with a new encryption scheme. During the investigation, Kaspersky Lab discovered seven command
and control (C&C) servers located in Hong Kong and one in the USA.
Recent NetTraveler victims by industries
Most recently, the main focus of interest for
cyber-espionage activities revolved around diplomatic (32%), government (19%),
private (11%), military (9%), industrial and infrastructure (7%), airspace
(6%), research (4%), activism (3%), financial (3%), IT (3%), health (2%) and
Infection method: a “newer” backdoor
Traditionally for this malicious group, the attacks
began with spear-phishing emails that targeted activists. The email had two
attachments, a non-malicious JPG file and a Microsoft Word .DOC file, which
appeared to be a container with an exploit for the CVE-2012-0158 vulnerability
for Microsoft Office. Kaspersky Lab determined that this malicious Web-archive
file had been created on a system using Microsoft Office - Simplified Chinese.
Now, if it’s run on a vulnerable version of
Microsoft Office, the exploit drops the main module – Trojan-Spy. The malware
configuration file now has a slightly newer format compared to “older”
NetTraveler samples. Showcasing that the developers behind NetTraveler have
taken steps to try and hide the malware’s configuration.
After the successful injection, NetTraveler
exfiltrates common file types such as DOC, XLS, PPT, RTF and PDF.
The discovered C&C servers
Kaspersky Lab identified several C&C servers.
Seven out of eight malicious C&C servers were registered by Shanghai
Meicheng Technology, and the IPs are located in Hong Kong (Trillion Company,
Hongkong Dingfengxinhui Bgp Datacenter, Sun Network Limited and Hung Tai International Holdings).
The other was registered by Todaynic.com Inc. with the IP located in the USA
“While investigating the NetTraveler attacks, we calculated the amount of stolen data stored on
NetTraveler’s C&C servers to be more than 22 gigabytes. This is an ongoing
cyber-espionage campaign and, according to the last attacks against the
activists, it will probably stay this way perhaps for another ten years. The
most sophisticated threats appeared on the surgical table of IT security
companies not that long ago, but NetTraveler example shows that a disease could
persist out of radar for long time” says
Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.
how to stay safe from the updated NetTraveler malware:
Block all malicious hosts in your firewall
Update Microsoft Windows and Microsoft
Office to the latest versions
Be wary of clicking on links and opening
attachments from unknown senders
Use a secure browser such as Google
Chrome, which has a faster development and patching cycle than Microsoft's
Kaspersky Lab’s products detect
and neutralize the malicious programs and its variants used by the NetTraveler
Toolkit, including Trojan-Dropper.Win32.Agent.lifr, Trojan-Spy.Win32.TravNet,
Trojan-Spy.Win32.TravNet.qfr, Trojan.BAT.Tiny.b and Downloader.Win32.NetTraveler.
Kaspersky Lab’s products detect
the Microsoft Office exploits used in the spear-phishing attacks, including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158,
To learn more about the
NetTraveler operation, please read the blog post available at Securelist.com.
Kaspersky Lab is the world’s largest privately held vendor of
endpoint protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its more than 17-year
history Kaspersky Lab has remained an innovator in IT security and provides
effective digital security solutions for large enterprises, SMBs and consumers.
Kaspersky Lab, with its holding company registered in the United Kingdom,
currently operates in almost 200 countries and territories across the globe,
providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
For the latest in-depth information
on security threat issues and trends, please visit:
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by
Vendor, 2012. The rating was published in the IDC
report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor
Shares (IDC #242618, August 2013).
The report ranked software vendors according to earnings from sales of endpoint
security solutions in 2012.