NetTraveler Returns in Chinese APT Targeting Russia

NetTraveler Returns in Chinese APT Targeting Russia

An APT group first spotted last year is now targeting Russia and nearby countries with the infamous information-stealing trojan NetTraveler.

The group, thought to be operating out of China, is focusing its efforts on weapons manufacturers, human rights activists, pro-democracy groups and others in Russia, Mongolia, Belarus, and unnamed European countries.

It’s previously been spotted by Proofpoint in a campaign dating back as far as July 2015, when it used the PlugX RAT targeting telecoms, military and financial organizations in Russia.

Its modus operandi, according to Proofpoint, is as follows:

“One of this actor's favorite techniques is to register news and military lookalike sites and use them for Command and Control (C&C) and for payload hosting. Days prior to launching a wave of spear-phishing, the actor selects a victim-relevant news topic such as nuclear energy, military training, or geopolitics. The actor then finds a news article on the topic and uses it as a basis for the phishing lure, including file names, relevant decoy documents, image files, and email content.”

The spearphishing emails might contain a malicious link or attachment as lure, but the end goal is always the same: using Microsoft Office bug CVE-2012-0158 to exploit the client and install NetTraveler.

The trojan has been successfully used for over 10 years now – proof of its staying power and the need for vigilance from organizations against highly determined APT threat actors.

For example, it was used in a long-running global campaign targeting – among others – Tibetan and Uyghur activists, oil companies, government agencies and more. Spotted by Kaspersky Lab in 2013, the campaign affected a whopping 350 high-profile victims in 40 countries.

“Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,” Proofpoint warned.

Source: Information Security Magazine