NetTraveler
State-sponsored surveillance malware exploiting CVE-2010-3333 and CVE-2012-0158
Summary
NetTraveler is a spyware malware family used in advanced persistent threat (APT) campaigns for cyber espionage and surveillance. It has been active since 2004 and was publicly disclosed in 2013. The malware targets high-profile organizations to exfiltrate sensitive data.
Key Facts:
- Infected over 350 victims in 40 countries.
- Primarily spreads via spear-phishing emails exploiting Microsoft Office vulnerabilities (CVE-2010-3333 and CVE-2012-0158).
- Associated with Chinese threat actors, possibly APT21 or Hammer Panda.
- Focuses on data theft in sectors like space exploration, nanotechnology, and energy.
Background
NetTraveler was first observed in 2004, with the earliest samples timestamped in 2005. It was discovered and analyzed by Kaspersky Lab, who monitored the campaign and released a public report on June 4, 2013. The threat actors were notified indirectly through the public disclosure, and antivirus vendors updated signatures to detect the malware. No specific vendor patch timeline applies as it is malware, not a product vulnerability, but exploits in Microsoft Office were patched in MS10-087 (2010) and MS12-027 (2012).
Impact
- Enables unauthorized remote access and control of infected systems.
- Facilitates exfiltration of sensitive documents, keystrokes, and file listings.
- Affects high-profile targets including governments, embassies, military contractors, and research institutes.
- Scope includes over 40 countries, with highest infections in Mongolia, India, and Russia.
- Potential for long-term espionage and intellectual property theft.
What's NetTraveler
NetTraveler is a malware family designed for surveillance and data exfiltration. It is delivered via spear-phishing attachments exploiting Office vulnerabilities, installs backdoors, and communicates with command-and-control (C2) servers to steal data such as Office documents, PDFs, and specialized files like CAD drawings.
Implications
NetTraveler highlights the risks of state-sponsored cyber espionage, where persistent threats can compromise national security, intellectual property, and operational integrity. It underscores the importance of patching known vulnerabilities and monitoring for APT indicators, as unmitigated infections can lead to prolonged data leaks and strategic disadvantages.
Mitigation
Immediate (0–7 days)
- Run full antivirus scans on all systems using updated signatures.
- Isolate potentially infected machines from the network.
- Check for and apply patches for CVE-2010-3333 and CVE-2012-0158 if not already done.
Short-Term (1–4 weeks)
- Conduct user awareness training on spear-phishing recognition.
- Implement email filtering to block malicious attachments.
- Monitor network traffic for connections to known C2 domains/IPs.
Medium-Term (1–3 months)
- Deploy endpoint detection and response (EDR) tools.
- Update all software to latest versions and enable automatic patching.
- Perform a full network audit for signs of compromise.
Long-Term (3–6+ months)
- Adopt zero-trust security models.
- Regularly conduct penetration testing and red team exercises.
- Collaborate with threat intelligence services for ongoing monitoring.
Timeline
| Date | Event |
|---|---|
| 2004 | Earliest known activity of NetTraveler. |
| 2005 | Earliest malware samples timestamped. |
| 2010–2013 | Peak period with largest number of samples observed. |
| June 4, 2013 | Public disclosure by Kaspersky Lab. |
| 2016 | Continued activity, including new campaigns targeting Russia and Europe. |
Key Takeaways
- Persistent threats like NetTraveler demonstrate the longevity of APT campaigns, emphasizing the need for ongoing vigilance.
- Patching known vulnerabilities (e.g., in Microsoft Office) is critical to prevent exploitation.
- High-profile sectors must prioritize threat intelligence and user training to mitigate spear-phishing risks.
- Cyber espionage poses significant risks to national security and intellectual property.
References
- Kaspersky Securelist: NetTraveler is Running!
- Kaspersky Report: The NetTraveler (aka 'TravNet')
- Wikipedia: NetTraveler
- Palo Alto Unit 42: NetTraveler Spear-Phishing
- MITRE ATT&CK: NetTraveler
Identification Tool
Checklist for end users/techs to confirm if system is affected:
- Run an antivirus scan with updated definitions and check for detections of Trojan-Spy.Win32.TravNet or Downloader.Win32.NetTraveler.
- Check for suspicious files such as netmgr.exe, netmgr.dll, perf2012.ini in system directories.
- Monitor network traffic for connections to known C2 domains like andriodphone.net or IPs like 209.11.241.144.
- Verify if Microsoft Office patches for CVE-2010-3333 (MS10-087) and CVE-2012-0158 (MS12-027) are installed.
- Look for unusual processes or registry entries related to bootuid.dll or similar IOCs.
- If any signs are found, isolate the system and perform forensic analysis.
PowerShell Check Script
PowerShell script to check for patches related to vulnerabilities exploited by NetTraveler (CVE-2010-3333 and CVE-2012-0158).
# Example KB for CVE-2010-3333: KB2423930 (MS10-087)
# Example KB for CVE-2012-0158: KB2598041 (Office 2003, adjust for other versions)
$kb1 = 'KB2423930' # For CVE-2010-3333
$kb2 = 'KB2598041' # For CVE-2012-0158 (example for Office 2003)
$patch1 = Get-HotFix | Where-Object { $_.HotFixID -eq $kb1 }
$patch2 = Get-HotFix | Where-Object { $_.HotFixID -eq $kb2 }
if ($patch1) {
Write-Host -ForegroundColor Green "OK: Patch for CVE-2010-3333 is installed."
} else {
Write-Host -ForegroundColor Red "Update Needed: Patch for CVE-2010-3333 is missing."
}
if ($patch2) {
Write-Host -ForegroundColor Green "OK: Patch for CVE-2012-0158 is installed."
} else {
Write-Host -ForegroundColor Red "Update Needed: Patch for CVE-2012-0158 is missing."
}