Spear phishing continues to be a very successful attack method and a new campaign is now delivering an updated version of NetTraveler malware, which features an encrypted configuration file.
The malware, also known as “Travnet” and “Netfile,” has been active for up to 10 years, as researchers at Kaspersky said it began in 2004.
Analyzing a sample email delivering NetTraveler, Costin Raiu and Kurt Baumgartner, both security researchers at Kaspersky Lab, said the computers of the victims suffered from a malicious DOC file.
The document contains an exploit for a vulnerability in Microsoft Word with the identifier CVE-2012-0158. The industry first became aware of the issue in October 2012 and it underwent patching, but there are systems with an older version of Word that are vulnerable to this flaw.
It has been used in multiple cyber espionage campaigns, one of the most prominent being Red October.
The researchers observed that the configuration file for the latest revision of the malware was no longer available in plain text; but the authors did not use complex encryption, and the researchers were able to find the command and control (C&C) servers providing instructions.
In the samples analyzed, Kaspersky found C&C servers located mostly in Hong Kong, with one out of seven based in Los Angeles.
The registrar for the Chinese-based severs is Shanghai Meicheng Technology, while for the one in the U.S. is TodayInc.com.
The cyber espionage character of the campaign is obvious as most of the victims are from the diplomatic and government sector.
“For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets,” a Kaspersky blog post said.
32 percent of the victims are from the diplomatic sector, while 19 percent are from the government, according to the security firm.
NetTraveler can exfiltrate data from the affected system such as documents and private information as well as log activity and send it to the commanding server.