NetTraveler Campaign Uses New Attack Tactic To Infect Victims


An attack that has targeted people in more than 40 countries has resurfaced and is beginning to turn to a drive-by attack technique to target a broader number of employees at specific organizations.

Security researchers at Kaspersky Lab said NetTraveler, a surveillance toolkit, may be expanding its scope to a broader set of victims. It is currently targeting Tibetan and Uyghur political activists, but the attackers have been seen uploading the stolen data through a cloud hosting provider based in the U.S.

The NetTraveler malware is believed to be connected to attackers in China and continues to be used in small-scale targeted attacks. The cybercriminals have relied on email messages with malicious file attachments to initially compromise systems. But those behind the campaign are turning to a newer tactic: watering-hole-style, drive-by attacks to infect a larger number of employees in the energy sector, scientific research community, governments and defense contractors.

[Related: Mandiant: Report Sending Chinese Cyberattackers Back To The Drawing Board?]

Kaspersky said Tuesday that it has detected several spearphishing e-mails aimed at Uyghur activists in the past week. The firm has detected more than 30 command-and-control servers linked to the attack campaigns. New servers have been uncovered in China, Hong Kong and Taiwan, wrote Costin Raiu, senior security researcher at Kaspersky, in his analysis of the latest attacks. Raiu said the firm discovered a watering-hole-style attack being used to infect visitors of websites likely to be visited by those targeted by the attack campaign.

The attackers set up attack code within the website, which attempts to target a Java vulnerability when visitors view the page. The vulnerability, which can enable attackers to bypass the Java sandbox, is also being used in the spearphishing emails. It was patched by Oracle in June. Once infected, the attackers install keylogger functionality to record the victim's keystrokes and have the ability to upload additional malware to steal data.

"Last month, we intercepted and blocked a number of infection attempts from the known NetTraveler-related domain," Raiu wrote. "The usage of the Java exploit for CVE-2013-2465 coupled with watering hole attacks is a new, previously unseen development for the NetTraveler group."

Raiu said he believes the attackers will use more recent exploits in their campaigns and Kaspersky is continuing to monitor the attacks to uncover whether any zero-day exploits are used.

The company recommends users update Java or uninstall it completely and ensure other applications have been updated.

Kaspersky first announced that it detected the NetTraveler attack in June. The attacks have been linked to similar campaigns that have been in existence for nearly a decade, targeting hundreds of individuals. The surveillance toolkit has been used on individuals in Mongolia, South Korea and targeted employees at oil and chemical refineries in India and Russia.

PUBLISHED SEPT. 3, 2013