According to sinkhole analysis from Kaspersky Lab, the campaign is being carried out by an organized group. “We estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language,” it said.
The bug is part of an advanced persistent threat (APT) campaign, used for basic surveillance of the victims. It’s designed to steal sensitive data as well as log keystrokes, and retrieve file system listings and various Microsoft Office or PDF documents.
Known targets of NetTraveler (also known as Travnet or Netfile) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors. Most recently, the NetTraveler group’s main domains of interest for cyber-espionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.
NetTraveler has been around since at least 2005 (the name comes from an internal string that is present in early versions of the malware: “NetTraveler Is Running!”). References also exist indicating activity as early as 2004. But the largest number of samples that the security firm observed was created between 2010 and 2013. It acknowledges that this may be the tip of the iceberg however. “Taking into account that several other C&C servers exist for which we have no logs and the KSN coverage, we estimate the total number of victims worldwide to be around 1,000,” Kaspersky noted.
Interestingly, it appears that the Chinese-speaking group is looking to spy on entities rather close to home: the highest number of infections can be found in Mongolia, followed by India and Russia. But infections were identified in 40 countries, including Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain, Germany, the US, Canada, the UK, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Iran, Turkey, Pakistan, Thailand, Qatar and Jordan.
Kaspersky also said that NetTraveler is often used in tandem with other malware families. For instance, it identified six victims that had been infected by both NetTraveler and Red October.
The attack vector is a tried-and-true, but simplistic one: NetTraveler victims are infected through spear-phishing attacks using Office documents, which exploit two publicly known vulnerabilities: CVE-2012-0158 and CVE-2010-3333.
“Although these vulnerabilities have been patched by Microsoft, they remain effective and are among the most exploited in targeted attacks,” Kaspersky said. “During our analysis, we did not see any advanced use of zero-day vulnerabilities or other malware techniques such as rootkits. It is therefore surprising to observe that such unsophisticated attacks can still be successful with high profile targets.”
Kaspersky has recently uncovered espionage campaigns that are similar in intent and targets, such as a March attack on Tibetan and Uyghur activists. In that case, the email account of a high-profile Tibetan activist was hacked and used to send used to send spear phishing emails to a contact list of other activists and human rights advocates. The messages referred to a human rights conference event in Geneva, organized by multiple activist groups. It has been used in a number of attacks as a lure, Kaspersky said. That particular effort carried out spying by way of an Android-based malware, but demonstrates the ongoing, morphing nature of many of these espionage campaigns.