English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

NetTraveler Is Back: The 'Red Star' APT Returns With New Tricks

Costin Raiu
Kaspersky Lab Expert
Posted September 03, 07:57  GMT
Tags: Website Hacks, Sun Java, Targeted Attacks, Oracle
0.3
 

NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

During the last week, several spear-phishing e-mails were sent to multiple Uyghur activists. Here’s an example:

A rough translation:

“The spokesman of the WUC made the following statement about the massacre in Karghiliq country. To the kind attention of everyone.”

It contains a link to a page purportedly on the World Uyghur Congress website. However, the real page link leads to a known NetTraveler-related domain at “weststock[dot]org”.

Here’s the content of the page fetched from that URL:

This simple HTML loads and runs a Java applet named “new.jar” (c263b4a505d8dd11ef9d392372767633). The “new.jar” is an exploit for CVE-2013-2465, a very recent vulnerability in Java versions 5, 6 and 7, that was fixed by Oracle in June 2013. It’s detected and blocked by Kaspersky products generically as “HEUR:Exploit.Java.CVE-2013-2465.gen”.

The payload of the exploit is a file named “file.tmp” (15e8a1c4d5021e76f933cb1bc895b9c2), which is stored inside the JAR. This is a classic NetTraveler backdoor dropper (Kaspersky products block it as “Trojan-Dropper.Win32.Dorifel.adyb”), compiled on “Thu May 30 03:24:13 2013” if we are to believe the PE header timestamp.

This NetTraveler variant connects to a previously unknown command and control server, at “hxxp://worldmaprsh[dot]com/gzh/nettr/filetransfer[dot]asp”, hosted at IP 198.211.18.93. The IP is located in the U.S., at “Multacom Corporation” and used exclusively to host this C2:


The command and control server is active and operational at the time of writing of this blog, accepting stolen data from victims.

NetTraveler’s Watering Hole Attack

In addition to the spearphishing e-mails, watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators.

There is perhaps no surprise that the NetTraveler attacks are now using this method as well. Last month, we intercepted and blocked a number of infection attempts from the known NetTraveler-related domain at “weststock[dot]org”. The redirections appeared to come from another Uyghur-related website belonging to the “Islamic Association of Eastern Turkistan”:

A quick look at the site’s HTML code reveals an iframe injection common to malicious websites:

The HTML page on “weststock[dot]org” referenced by the IFRAME contained another malicious applet, named “ie.jar”.

Conclusions

Immediately after the public exposure of the NetTraveler operations, the attackers shutdown all known C2s and moved them to new servers in China, Hong Kong and Taiwan. However, they also continued the attacks unhindered, just like the current case shows it.

The usage of the Java exploit for CVE-2013-2465 coupled with watering hole attacks is new, previously unseen development for the NetTraveler group. It obviously has a higher success rate than mailing CVE-2012-0158 exploit-ridden documents, which was the favorite attack vector until now. We estimate that more recent exploits will be integrated and used against the group’s targets.

Recommendations on how to stay safe from such attacks:

* Update Java to the most recent version or, if you don’t use Java, uninstall it.
* Update Microsoft Windows and Microsoft Office to the latest versions.
* Update all other third party software, such as Adobe Reader.
* Use a secure browser such as Google Chrome, which has a faster development 
and patching cycle than Microsoft’s Internet Explorer.
* Be wary of clicking on links and opening attachments from unknown persons.
So far, we haven’t observed the use of zero-day vulnerabilities by the NetTraveler group; to defend against those, although patches don’t help, technologies such as AEP (Automatic Exploit Prevention) and DefaultDeny can be quite effective at fighting APTs.

Follow me on Twitter


2 comments

Oldest first
Threaded view
 

mark117

2013 Sep 06, 10:00
1
 

Ref: NetTraveler Group - New Methods Of Infection Vectors !!!

Hi Costin Raiu

Do you think that the NetTraveler group went away while they decided to try different infection vectors, i.e. with the java CVE-2013-2465 vulnerabilities and the watering hole attacks.

It seems like they have gone and thought about other ways that can be good and quick vectors for dropping these infections onto us in the first place.
Plus i think that even they are probably realizing that a lot of people now a days know how to check their e-mails and how to make sure the links are for where they should be.
That's probably why they have opted to go for CVE-2013-2465 Say over CVE-2012-0158 of sending an exploit ridden docs, maybe its easier for them to hit people online than risk a document that's probably going in junk/deleted anyways.

As for java!!!

I am sure that i have read somewhere on here or threat-post that there is not going to be a java 8 until the end of the year or at the latest sometime in the beginning of 2014 due to the owners of oracle/java wanting to make it a LOT more secure.
Cheers for the interesting articles,
Its what keeps me coming back time again.
Thank You
mark117
P.S.
I keep my java off most of the time when online,

Reply    

Prashant Kate

2013 Sep 19, 19:20
0
 

History and targets

First warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005, although the name "APT" was not used.

The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an Advanced Persistent Threat.

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.[citation needed] Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported 81 percent increase from 2010 to 2011 of particularly advanced targeted computer hacking attacks.

A common misconception[who?] associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command is tasked with coordinating the US military's response to this cyber threat.

Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-states.

Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:

Higher education
Financial institutions

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog