Skip to main content

Security Alert: Red Star APT Attacks – The NetTraveler

June 05, 2013

Kaspersky Lab released results of their latest Advanced Persistent Threat (APT) research surrounding a piece of malicious software that is used for covert computer surveillance. The application named “The NetTraveler” had been discovered by a string identified within earlier versions of the malware. Kaspersky identifies that the earliest version of the malware have timestamps that date back to 2005, although there are references to activity from 2004. At this time compromised victims include over 350 high-profile organizations in over 40 countries.

The report notes that the known targets of the malware include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

The reported delivery mechanism for this attack was via phishing emails which attempted to exploit two publicly known vulnerabilities – CVE-2012-0158 and CVE-2010-3333. Once infected, NetTraveler automatically attempts to exfiltrate common file types such as doc, xls, ppt, rtf, and pdf as well as specifically configured file types. Exfiltrated data is encoded with a custom compression library and then transmitted to a command and control server via HTTP requests.

Kaspersky provides various recommendations for mitigation including providing Indicators of Compromise (IOC), Kaspersky detection names, and MD5s of known samples (a full listing may be found in the full report).

If an organization identifies that they have been compromised, FishNet Security recommends the following steps:

  • Remove network access to the affected system(s).
  • Enact incident response plan.
  • Perform an anti-virus scan with the most current software version to detect and quarantine any malicious files located on the system. If the malicious traffic continues post a/v scan, it is possible that a new image be loaded on the system(s).
  • Block all traffic both inbound and outbound to the IPs and URLs documented in the Kaspersky report.

The full Kaspersky report can be found here.

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

January 26, 2018

Identity and Access Management Solutions

We help you minimize risk and maximize efficiency with our IAM solutions.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.