APT malware NetTraveler learning new tricks

An Advanced Persistent Threat (APT) called NetTraveler has been spotted making mischief again, but it appears to have learned a few new tricks since it was last spotted in June.

The malware is now attacking a known Java vulnerability, CVE-2013-2465, and added water holing to its propagation strategy, according to new research from Kaspersky Lab.

Kaspersky sounded the alarm about NetTraveler, also known as Travnet and Netfile, in June, when it reported the backdoor software was spearheading a cyber espionage campaign that had been running for eight years.

The campaign targeted more than 350 high-profile victims from more than 40 countries, including political activists, research centers, governmental institutions, embassies, military contractors and private companies from various industries.

At that time, NetTraveler was exploiting two vulnerabilities in Microsoft Office, CVE-2012-0158 and CVE-2010-3333, both previously patched by the software maker.

At the time, NetTraveler wasn't the only backdoor exploiting old Office vulnerabilities. Rapid7 discovered another bad app, KeyBoy, also engaged in similar shenanigans.

This time, though, NetTraveler's puppetmasters are training their sights on Java. In one flavor of the attack, spear phishing messages containing malicious links are sent to likely targets. The link leads to a poisoned website which will stealthily infect the computer of an unsuspecting visitor with the APT, which is programmed to steal files from its host.

"In addition to the spear phishing e-mails, watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators," Kaspersky researcher Costin Raiu wrote in a blog post.

"There is perhaps no surprise that the NetTraveler attacks are now using this method as well," he said.

All the NetTraveler activity observed by Kaspersky has been aimed at Uyghur activists. They have been agitating for the separation from China of largely muslim East Turkistan, located in the Xinjang, a region in the northwest corner of that country. So it's no surprise that the malware operators chose the Islamic Association of Eastern Turkistan website for its watering hole exploit.

[Also see: APT attackers getting more evasive, even more persistent]

The attackers planted an iframe on the IAET home page that fetches malware from a site they control and clandestinely plants it on the computers of IAET visitors.

"Spear phishing campaigns are still the tip of the spear for attack vectors," said JD Sherry, vice president of Technology and Solutions for Trend Micro.

"However, he continued, "the intelligent hacking crews, the more sophisticated hacking crews, are leveraging these water holing techniques."

Water holing allows attackers to compromise a trusted site and infect the site's loyal followers. "Attackers will inject malicious capabilities into that site through a vulnerability," Sherry told CSOonline.

"Waterholing is a huge attack vector," he said. "We're seeing a seismic shift in water holing capabilities. That's going to continue as some of the sophisticated hacking crews begin to compromise news outlets and financial sites -- places where people go day-to-day with unprotected systems."

Because NetTraveler exploits known vulnerability, it's less advanced than APTs that use less known or unknown vulnerabilities, Sherry asserted.

"This vulnerability has been persistent for several months now," he said, "and if end users were running appropriate anti-virus and updated patches, they would have been protected from this vulnerability."

Patching systems, however, is a problem even for companies with a management system in place to do it, said Scott Gordon, CMO of ForeScout Technologies. That's because the patching process can be gap prone.

"We find that from five to 25 percent of operating environment where there's change management and patching there's a gap where the management system is saying one thing and the host configuration is not in parity," Gordon said in an interview.

"Five percent in a 100 to 200 endpoint operating environment may not be a big deal," he said. "But once you get into the thousands, it starts adding up and your gap is larger."

Although NetTraveler's handlers are exploiting a well-known vulnerability now, that may not be the case in the future. "I suspect they will rely less on the main NetTraveler malware they're known for," said Nart Villeneuve, a senior threat intelligence researcher at FireEye.

"They'll start to rely on less well-known pieces of malware that they have in their arsenal," he said.

While those handlers have diverged from the days of exploiting Microsoft Office vulnerabilities, they aren't about to create another Stuxnet.

"They don't seem to enlist an elite offensive technical skillset," Kurt Baumgartner, a senior security researcher at Kaspersky, said in an email. "So their progress will most likely push towards modes of delivering client side attacks, and not more advanced exploitation."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags advanced persistent threatapplicationslegalsoftwaredata protectioncybercrimekaspersky labNetTravelerAPTData Protection | MalwareMicrosoftRapid7

More about APTFireEyeForeScout TechnologiesKasperskyKasperskyMicrosoftRapid7Scott CorporationTechnologyTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place