A dangerous cyber espionage campaign, NetTraveler, has been uncovered by Kaspersky Lab.
Believed to have originated in China, the family of malicious programs has been used by cyber criminals to compromise more than 350 high-profile victims, across 40 countries.
A report released by the company last night says the campaign targeted diplomats, military contractors and government agencies, as well as the oil and gas industry, activists and research centres.
The attacks use spear-phishing e-mails with malicious MS Office documents as attachments that contain two highly-exploited vulnerabilities, and aim to steal sensitive data, log keystrokes, and retrieve file system listings and various Office or PDF documents.
NetTraveler's recent cyber-espionage activities have also focused on space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.
Dubbed NetTraveler due to an internal string found in early versions of the malicious code - "NetTraveler Is Running!" - the malware is also known as "Travnet" or "Netfile".
Illustrating how most of these campaigns are at least loosely connected, the security firm believes one backdoor used in the NetTraveler campaign was written by the same malware authors behind Gh0st RAT, an open source backdoor Trojan that was used in a large number of incidents, many of which were targeted attacks.
According to Threatpost, during the recent 2013 Cybersecurity Forum, in Washington DC, Costin Raiu, senior security researcher and head of the global research and analysis team at Kaspersky Lab, said the company has also found links to Titan Rain, a series of coordinated attacks on US computer systems dating as far back as 2003.
"They're just one big ugly gorilla with a thousand faces and of course we haven't seen all of them yet," Raiu commented.
Kaspersky Lab has also identified six victims that fell foul of both NetTraveler and Red October, another espionage campaign uncovered by the company in January 2013, which it says indicates these victims are being targeted by several advanced persistent threat actors, as their information is valuable.
Through collective intelligence, Kaspersky Lab speculates the developers of NetTraveler number around 50, and suspects the group is behind a number of similar espionage attacks dating back nearly 10 years.
The company says the first known samples have a timestamp of 2005, although references exist indicating there could have been activity as far back as 2004. However, the biggest number of samples was written between 2010 and 2013.
Share