APT malware NetTraveler learning new tricks
Advanced Persistent Threat exploits Java vulnerabilities, embraces watering hole technique, says researcher
By John P. Mello, Jr.
September 04, 2013 — CSO — An Advanced Persistent Threat (APT) called NetTraveler has been spotted making mischief again, but it appears to have learned a few new tricks since it was last spotted in June.
The malware is now attacking a known Java vulnerability, CVE-2013-2465, and added water holing to its propagation strategy, according to new research from Kaspersky Lab.
Kaspersky sounded the alarm about NetTraveler, also known as Travnet and Netfile, in June, when it reported the backdoor software was spearheading a cyber espionage campaign that had been running for eight years.
The campaign targeted more than 350 high-profile victims from more than 40 countries, including political activists, research centers, governmental institutions, embassies, military contractors and private companies from various industries.
At that time, NetTraveler was exploiting two vulnerabilities in Microsoft Office, CVE-2012-0158 and CVE-2010-3333, both previously patched by the software maker.
At the time, NetTraveler wasn't the only backdoor exploiting old Office vulnerabilities. Rapid7 discovered another bad app, KeyBoy, also engaged in similar shenanigans.
This time, though, NetTraveler's puppetmasters are training their sights on Java. In one flavor of the attack, spear phishing messages containing malicious links are sent to likely targets. The link leads to a poisoned website which will stealthily infect the computer of an unsuspecting visitor with the APT, which is programmed to steal files from its host.
"In addition to the spear phishing e-mails, watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators," Kaspersky researcher Costin Raiu wrote in a blog post.
"There is perhaps no surprise that the NetTraveler attacks are now using this method as well," he said.
All the NetTraveler activity observed by Kaspersky has been aimed at Uyghur activists. They have been agitating for the separation from China of largely muslim East Turkistan, located in the Xinjang, a region in the northwest corner of that country. So it's no surprise that the malware operators chose the Islamic Association of Eastern Turkistan website for its watering hole exploit.
The attackers planted an iframe on the IAET home page that fetches malware from a site they control and clandestinely plants it on the computers of IAET visitors.
"Spear phishing campaigns are still the tip of the spear for attack vectors," said JD Sherry, vice president of Technology and Solutions for Trend Micro.
"However, he continued, "the intelligent hacking crews, the more sophisticated hacking crews, are leveraging these water holing techniques."
Water holing allows attackers to compromise a trusted site and infect the site's loyal followers. "Attackers will inject malicious capabilities into that site through a vulnerability," Sherry told CSOonline.
"Waterholing is a huge attack vector," he said. "We're seeing a seismic shift in water holing capabilities. That's going to continue as some of the sophisticated hacking crews begin to compromise news outlets and financial sites -- places where people go day-to-day with unprotected systems."
Because NetTraveler exploits known vulnerability, it's less advanced than APTs that use less known or unknown vulnerabilities, Sherry asserted.
"This vulnerability has been persistent for several months now," he said, "and if end users were running appropriate anti-virus and updated patches, they would have been protected from this vulnerability."
Patching systems, however, is a problem even for companies with a management system in place to do it, said Scott Gordon, CMO of ForeScout Technologies. That's because the patching process can be gap prone.
"We find that from five to 25 percent of operating environment where there's change management and patching there's a gap where the management system is saying one thing and the host configuration is not in parity," Gordon said in an interview.
"Five percent in a 100 to 200 endpoint operating environment may not be a big deal," he said. "But once you get into the thousands, it starts adding up and your gap is larger."
Although NetTraveler's handlers are exploiting a well-known vulnerability now, that may not be the case in the future. "I suspect they will rely less on the main NetTraveler malware they're known for," said Nart Villeneuve, a senior threat intelligence researcher at FireEye.
"They'll start to rely on less well-known pieces of malware that they have in their arsenal," he said.
While those handlers have diverged from the days of exploiting Microsoft Office vulnerabilities, they aren't about to create another Stuxnet.
"They don't seem to enlist an elite offensive technical skillset," Kurt Baumgartner, a senior security researcher at Kaspersky, said in an email. "So their progress will most likely push towards modes of delivering client side attacks, and not more advanced exploitation."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.