Espionage malware infects raft of governments, industries around the world

Security researchers have blown the whistle on a computer-espionage campaign that over the past eight years has successfully compromised more than 350 high-profile targets in 40 countries.

"NetTraveler," named after a string included in an early version of the malware, has targeted a number of industries and organizations, according to a blog post published Tuesday by researchers from antivirus provider Kaspersky Lab. Targets include oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies, military contractors, and Tibetan/Uyghur activists. Most recently the group behind NetTraveler has focused most of its efforts on obtaining data concerning space exploration, nanotechnology, energy production, nuclear power, lasers, medicine, and communications.

"Based on collected intelligence, we estimate the group size to be about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language," the researchers wrote. "NetTraveler is designed to steal sensitive data as well as log keystrokes and retrieve file system listings and various Office and PDF documents."

Read 3 remaining paragraphs | Comments

Symantec Protections for TravNet

Today, Kaspersky published a paper titled “The NeTTraveler (aka ‘TravNeT’).” The paper provides analysis on a targeted attack campaign that is targeting various organizations worldwide, such as governments, industries, and non-government organizations. This research is related to the McAfee blog “Travnet Trojan Could Be Part of APT Campaign” released earlier in March about a campaign we have been monitoring as well. We have the following antivirus coverage in place for this threat:

We also provide the following IPS coverage:

The identified infection vector of this campaign is spear phishing emails with specially crafted attachments in rich text format (RTF). We have observed malicious files in RTF format that exploit Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and Microsoft Office RTF File Stack Buffer Overflow Vulnerability (CVE-2010-3333), both patched vulnerabilities in Microsoft Office and other Microsoft products. We have seen similar behavior from these files: exploitation of Microsoft Word to drop a file we detect as Trojan.Mdropper.

Once exploited malware is dropped which, in turn, drops other files and steals information from targets and sends it back to the attackers’ command-and-control (C&C) server. Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Trojan.Travnet.

Users should ensure that software applications are up to date, and avoid clicking on suspicious links or opening suspicious email attachments. To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

Waledac Reloaded: Trojan.Rloader.B

Recently, we blogged about systems compromised by W32.Virut that were observed downloading W32.Waledac.D (Kelihos). Symantec has followed the Waledac evolution for a number of years and have observed the botnet showing considerable resilience against take-down efforts conducted in the past. Waledac is traditionally known as a spamming botnet which has been observed to send up to 2000 malicious emails on a daily basis.


Figure 1. W32.Waledac.D spam

In the past two months, we have observed Waledac infection numbers go from strength to strength, with the majority of infections originating in the United States.


Figure 2. Top 10 countries with computers compromised by W32.Waledac.D

Computers compromised with W32.Waledac.D were also distributing additional malware that had initially been detected as Backdoor.Tidserv. However, following our analysis, we have discovered it to be a new variant of Trojan.Rloader, dubbed Trojan.Rloader.B. Similar to its older brother, Trojan.Rloader.B’s main functionality revolves around click-fraud.


Figure 3. Trojan.Rloader.B attack steps

When Trojan.Rloader.B is first executed on the victim’s computer, it ensures that it is running on a physical machine and terminates itself if it is found to be running within a virtual machine. Virtual machines frequently run antivirus software and tools that can be used to analyze the malware. Next, it collects information about the compromised host and sends it back to the command-and-control server to register the compromised computer. At this point, it modifies the Windows host file to redirect a number of popular search engines to a malicious IP address which displays pop-up advertisements embedded within search results.

Trojan.Rloader.B also targets Mozilla Firefox and Internet Explorer Web browsers by modifying their preferences to redirect search requests to This is also done to display advertisements on the compromised computer.

During our investigation, we noticed Trojan.Rloader.B dropping a second click-fraud component previously detected as Trojan.Spachanel, which we discussed in a previous blog. When executed, Trojan.Spachanel injects JavaScript to load pop-up advertisements within the compromised browser.


Figure 4. Pop-up advertisement example

Symantec has detections in place for the new Rloader variant as Trojan.Rloader.B. We have updated the detections for Spachanel click-fraud modules as Trojan.Spachanel. Symantec will continue to monitor the activities of the Waledac botnet while ensuring the best possible protection is in place for our customers. To aid in protection against botnet infection, Symantec recommends that you employ the latest Symantec technologies.

Bitcoins Still a Hot Security Topic

Interest in Bitcoin—the decentralized digital currency—is definitely growing. But as with anything established, it also sparks the interest of scammers. We have seen a few Trojans stealing Bitcoin wallets over the last few years. Also, Trojans installing Bitcoin miners are not that exotic anymore. A case from last week shows how far interest has grown on the criminal side. Reports have emerged about phishing websites impersonating Mt.Gox, the largest Bitcoin exchange site. Mt.Gox has already fought battles in the past—for example when it was on the receiving end of a distributed denial-of-service (DDoS) attack and also when US authorities temporarily seized part of their money.

Of course, as with the nature of phishing websites, the real site has nothing to do with the fake scam site. The scammers just used the same second-level domain (SLD) name, "mtgox", but with a different top-level domain (TLD)—for example, using .org, .net, .de, or domains. The scam site tried to trick users into downloading and installing malware with the convincing MTGOX_Wallet.exe file name, which Symantec detects as Downloader.Ponik.

z z.png

Figure 1. Phishing website uses alternate TLD


Figure 2. Phishing website

The phishing websites were even advertised using more than one major online advertising service, for example Microsoft’s advertisement network, in order to reach as many victims as possible. This resulted in the scam ad being displayed on many prominent websites.

The ad enticed users by stating "New Century Gold: BITCOIN Protect your money - Buy Bitcoin"—a clever turn-about since the ad links to a scam site that has everything else in mind except protecting your money.

The fact that the phishing site does not use the common Secure Sockets Layer (SSL) security protocol should have been a clear giveaway for any visitor. As with any financial service, regardless of the currency behind it, people should pay due diligence to ensure they are on a real website when entering information. In this case, the scammers left an additional clue inside the HTML of the phishing website for the curious type: they hide the original site's guidance to change passwords.


Figure 3. Phisher-altered HTML

Symantec recommends all Mt.Gox users change their passwords and verify accounts. Mt.Gox has started to intensify the verification process of its members, allowing deposits or withdrawals only from verified accounts. They appear to be doing as much as possible to comply with anti-money laundry laws in order avoid the same fate as Liberty Reserve, which was shut down by federal prosecutors in May. Despite Bitcoin being substantially different to Liberty Reserve due to its decentralized peer-to-peer structure, and hence much harder to shut down, it is still good business practice to do as much as possible to ensure secure service.

Symantec has recently launched cloud-based Symantec AdVantage to help prevent ads that lead to malware from ever reaching customers. Website owners that include advertising on their websites should also check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The OTA is a non-profit organization with the mission to enhance online trust while promoting innovation and the vitality of the Internet. Symantec is a founding member of the OTA.