When NetTravler was unveiled in June, Costin Raiu of Kaspersky Lab warned that the espionage campaign was an “ugly gorilla with a thousand faces” and that we hadn’t seen them all yet.
A little more than two months later, another profile of the malware targeting activists, diplomats, government targets and the scientific research community, has reared its head.
Raiu said today that a variant has been spotted by Kaspersky’s Global Research and Analysis Team and unlike its first go-round which targeted Microsoft Office vulnerabilities, this new take on NetTraveler exploits a recently patched Java bug. The group behind the attacks has also jumped on the watering hole attack bandwagon, having compromised an Uyghur-related website and redirecting victims to an attack site.
“Watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators,” Raiu wrote on Securelist, the Kaspersky Lab research blog. “There is perhaps no surprise that the NetTraveler attacks are now using this method as well.”
NetTraveler has zeroed in on Tibetan and Uyghur activists in addition to a number of manufacturing, research and even military targets. The first version, which spread via spear phishing emails and dropped Office documents carrying malicious attachments, exfiltrated files from victims’ machines and send them to a command and control infrastructure that overlapped with one used by the Gh0st RAT campaign. Office document files such as Word, Excel and PowerPoint files were uploaded to command and control servers; the malware’s configuration files can also be modified to steal design documents such as those done on Corel Draw or AutoCAD files. To date, NetTraveler has infected victims in more than 40 countries, Raiu said.
The variant reported today also targets the same victim demographics, but has expanded beyond spear phishing to watering hole attacks, which provide attackers with the ability to cast a wider net at potential victims by infecting websites they’re likely to visit with exploits that redirect them to an attacker-controlled site where more malware awaits.
The updated NetTraveler was spotted in the last week, Raiu said, targeting several Uyghur activists with an email promising a statement from the World Uyghur Congress on a massacre in the Karghiliq country. The link to the statement spoofs the Uyghur Congress website, and instead points victims to a NetTraveler domain weststock[.]org. A Java exploit called new.jar on the page is for a vulnerability patched in June by Oracle, CVE-2013-2465, that affects Java 7U21 and earlier, Java 6U45 and earlier and Java 5U45 and earlier. The payload is a backdoor dropper called file.temp used by NetTraveler, compiled on May 30, Raiu said.
Once up and running on the victim’s machine, the NetTraveler variant connects to a command and control server hosted at Multacom Corp., in Los Angeles; the IP address is 198[.]211[.]18[.]93. Raiu said that the command server is still operational and that the server exclusively hosts the attack server.
Meanwhile, the NetTraveler group has also apparently compromised a Uyghur-related website at the Islamic Association of Eastern Turkistan with an iframe attack that redirects victims to the weststock[.]org domain.
“The usage of the Java exploit for CVE-2013-2465 coupled with the watering hole attacks is a new, previously unseen development for the NetTraveler group,” Raiu said. “It obviously has a higher success rate than mailing CVE-2012-0158 exploit-ridden documents, which was the favorite attack vector until now. We estimate that more recent exploits will be integrated and used against the group’s targets.”
Neither NetTraveler iteration relied on zero days, Raiu said. The first version of NetTraveler targeted Office vulnerabilities that had been patched almost a year, yet still Kaspersky Lab researchers were able to find more than 22 gigabytes of stolen data on sinkholed command and control servers—a small fraction of the stolen data. More than 30 command and control servers have been discovered between the two versions of the campaign.