NetTraveler attacks compromise private sector and embassies

News by Dan Raywood

A series of advanced attacks have been detected against more than 350 high profile victims in 40 countries.

A series of advanced attacks have been detected against more than 350 high profile victims in 40 countries.

According to research by Kaspersky Lab, the main tool used by the threat actors during these attacks is called ‘NetTraveler' and is used by attackers for basic surveillance of victims. Some evidence points to activity since 2005, but the main years of activity were between 2010 and 2011.

It claimed that NetTraveler is used by a medium-sized threat actor group from China and although not very advanced, the attackers have successfully compromised hundreds of targets around the world. “Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively with knowledge of English language,” it said.

The report claimed that known targets for NetTraveler include Tibetan activists, oil industry companies, scientific research centres and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

Analysis found diplomatic victims to be most infected, accounting for 32 per cent of infections, while the most infected country was Mongolia, representing 29 per cent of infections.

Through analysis of the command and control (C&C) servers, Kaspersky Lab found that the NetTraveler backdoor is often used together with other malware families, while initial impact is done by spear phishing emails with malicious Microsoft office documents posing as attachments.

Kaspersky Lab said that NetTraveler is a data exfiltration tool, designed to extract large amounts of private information from the victim's system over long periods of time. It uses compression techniques and a fail-safe protocol to ensure that uploaded data is safely transferred to the attacker's servers, and typically exfiltrates common file types such as documents, Excel spreadsheets, PowerPoint, rich text files and PDFs.

Kaspersky Lab said: “The data set collected so far from the sinkhole is relatively small and includes victims in Mongolia, South Korea and India. We will continue to monitor the connections and over time, update this paper with more data as it becomes available.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews