July 08, 2016
The 12-year-old Trojan NetTraveler has resurfaced in an APT group’s spear-phishing campaign against Russian and Eastern European targets. The campaign was announced by security research firm Proofpoint.
Proofpoint director of threat intelligence Patrick Wheeler told SCMagazine.com the espionage campaign was launched by a Chinese group, although he said there is “no indication that it is state-sponsored.”
The campaign targeted defense, weapons manufacturing, military organizations, pro-democracy and human rights advocacy groups in Russia, Mongolia, Belarus, and other European countries. The APT group or a related group “utilized Saker, Netbot, DarkStRat, and LURK0 Gh0st in its espionage activities,” a Proofpoint blog post stated on Thursday.
The attackers used infected webpages that mimic news sites in Russian, Mongolian, and Turkish languages.
The malicious payload, also known as NetTraveler, has been used previously in espionage campaigns. Almost a year ago, Proofpoint discovered a similar campaign by the APT group against Russia, using PlugX as the payload. The PlugX RAT “has since fallen into disuse,” Wheeler said, speaking with SCMagazine.com.
In January, Palo Alto Networks discovered a spear-phishing email targeting a diplomat of the Embassy of Uzbekistan in China. However, Wheeler said the researchers did not detect any information that appears to link the actor to the campaign targeting Uzbekistan.
The campaign used two common exploit techniques – a hosted RAR and Microsoft Word attachments that exploit a Microsoft vulnerability that was patched in 2012. “These actors count on the fact that systems are not updated, or updated inconsistently,” Wheeler said.