NetTraveler APT still targets European and Russian interests

Pierluigi Paganini July 09, 2016

Security experts from ProofPoint have spotted a new campaign operated by the APT Group NetTraveler that is targeting Russian and European organizations.

NetTraveler is an ATP group first spotted by Kaspersky in 2013, when researchers discovered an espionage activity against over 350 high profile victims from 40 countries.

The name of the operation derives from the malicious code used in the attacks, the surveillance malware NetTraveler. According to the report published by Kaspersky, the threat actor is linked to China.
The NetTraveler campaign has been running since 2004 targeting  Tibetan/Uyghur activists, government institutions, energy companies as well as contractors and embassies.
NetTraveler campaign victim sectors
The largest number of infections was observed in Mongolia, India, and Russia but  also China and many other European countries (Germany, the UK and Spain) were hit by the hackers.
At the time of the report, Kaspersky’s team speculated that the group of hackers was composed of around 50 individuals, many of them Chinese-speaking but with a good knowledge of English.
NetTraveler campaign infections
The group leverages on spear phishing campaigns to deceive victims and trick them into clicking on URLs to RAR-compressed executables and malicious Microsoft Word documents that attempted to exploit the 4-year old vulnerability CVE-2012-0158 in Microsoft Office.
The CVE-2012-0158 flaw was patched in 2012, but it is still exploited by an impressive number of attacks in the wild, let’s think to the “The Four Element Sword” weaponized document builder used in APT Attacks, or to the Operation Transparent Tribe targeting Indian diplomatic and military entities discovered by ProofPoint.

In May 2016, expert from Kaspersky Lab discovered a remote code execution vulnerability (CVE-2015-2545) in Office exploited by multiple APTs. In the same month security experts from PaloAlto Networks collected evidence that the Operation Ke3chang discovered by FireEye in 2013 is still ongoing. In this case, experts spotted phishing attacks relied on email with attached an MHTML document that was specifically crafted to trigger the Microsoft Office vulnerability (CVE-2015-2545) and drop the TidePool malware.

Experts from Proofpoint reported that China-based threat actor is using NetTraveler in recent attacks on Russian and European organizations, including weapons manufacturers, human rights activists, and pro-democracy groups, among others.

The new NetTraveler campaign shows similarities with the PlugX one discovered last year.

“Previously we described activity by the same actor “In Pursuit of Optical Fibers and Troop Intel” [2] in which this group utilized PlugX malware to target various telecommunication and military interests in Russia.” states ProofPoint. “Since January 2016, this group switched to using NetTraveler and varied its targets, but otherwise left most of its tools, techniques, and procedures (TTPs) unchanged. It is worth noting that this and other China-based espionage groups have reduced their reliance on PlugX for unknown reasons, with only a few major incidents involving PlugX this year.” 

The attackers used relevant articles on a news topic such as nuclear energy, geopolitics, and military, and uses it as bait.


The malicious emails either include a link to RAR SFX-packaged executables that are hosted on look-alike domains, that install NetTraveler.

In other attacks, the threat actors used emails with a malicious Microsoft Word document as attachment that embeds the code to exploit the CVE-2012-0158 flaw.

The threat actor set up its domains with the same registrar “Shanghai Meicheng Technology Information Development Co., Ltd.,” providing fake information at each registration.

ProofPoint published the analysis of the NetTraveler implants that still use a DLL side-loading technique.

“The payloads described here used the clean, signed executable fsguidll.exe (F-secure GUI component) to sideload fslapi.dll or the clean, signed executable RasTls.exe to sideload rastls.dll.” states ProofPoint.

“Regardless of the TTPs, this ongoing APT points to the staying power of NetTraveler and the need for ongoing vigilance and technological protections against advanced persistent threats. Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cyber espionage, NetTraveler)

you might also like

leave a comment