Security Alert: Red Star APT Attacks – The NetTraveler

By gTIC ·

Kaspersky Lab released results of their latest Advanced Persistent Threat (APT) research surrounding a piece of malicious software that is used for covert computer surveillance. The application named “The NetTraveler” had been discovered by a string identified within earlier versions of the malware. Kaspersky identifies that the earliest version of the malware have timestamps that date back to 2005, although there are references to activity from 2004. At this time compromised victims include over 350 high-profile organizations in over 40 countries.

The report notes that the known targets of the malware include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

The reported delivery mechanism for this attack was via phishing emails which attempted to exploit two publicly known vulnerabilities – CVE-2012-0158 and CVE-2010-3333. Once infected, NetTraveler automatically attempts to exfiltrate common file types such as doc, xls, ppt, rtf, and pdf as well as specifically configured file types. Exfiltrated data is encoded with a custom compression library and then transmitted to a command and control server via HTTP requests.

Kaspersky provides various recommendations for mitigation including providing Indicators of Compromise (IOC), Kaspersky detection names, and MD5s of known samples (a full listing may be found in the full report).

If an organization identifies that they have been compromised, FishNet Security recommends the following steps:

  • Remove network access to the affected system(s).
  • Enact incident response plan.
  • Perform an anti-virus scan with the most current software version to detect and quarantine any malicious files located on the system. If the malicious traffic continues post a/v scan, it is possible that a new image be loaded on the system(s).
  • Block all traffic both inbound and outbound to the IPs and URLs documented in the Kaspersky report.

The full Kaspersky report can be found here.