NetTraveler is an ATP group first spotted by Kaspersky in 2013, when researchers discovered an espionage activity against over 350 high profile victims from 40 countries.
In May 2016, expert from Kaspersky Lab discovered a remote code execution vulnerability (CVE-2015-2545) in Office exploited by multiple APTs. In the same month security experts from PaloAlto Networks collected evidence that the Operation Ke3chang discovered by FireEye in 2013 is still ongoing. In this case, experts spotted phishing attacks relied on email with attached an MHTML document that was specifically crafted to trigger the Microsoft Office vulnerability (CVE-2015-2545) and drop the TidePool malware.
Experts from Proofpoint reported that China-based threat actor is using NetTraveler in recent attacks on Russian and European organizations, including weapons manufacturers, human rights activists, and pro-democracy groups, among others.
The new NetTraveler campaign shows similarities with the PlugX one discovered last year.
“Previously we described activity by the same actor “In Pursuit of Optical Fibers and Troop Intel”  in which this group utilized PlugX malware to target various telecommunication and military interests in Russia.” states ProofPoint. “Since January 2016, this group switched to using NetTraveler and varied its targets, but otherwise left most of its tools, techniques, and procedures (TTPs) unchanged. It is worth noting that this and other China-based espionage groups have reduced their reliance on PlugX for unknown reasons, with only a few major incidents involving PlugX this year.”
The attackers used relevant articles on a news topic such as nuclear energy, geopolitics, and military, and uses it as bait.
The malicious emails either include a link to RAR SFX-packaged executables that are hosted on look-alike domains, that install NetTraveler.
In other attacks, the threat actors used emails with a malicious Microsoft Word document as attachment that embeds the code to exploit the CVE-2012-0158 flaw.
The threat actor set up its domains with the same registrar “Shanghai Meicheng Technology Information Development Co., Ltd.,” providing fake information at each registration.
ProofPoint published the analysis of the NetTraveler implants that still use a DLL side-loading technique.
“The payloads described here used the clean, signed executable fsguidll.exe (F-secure GUI component) to sideload fslapi.dll or the clean, signed executable RasTls.exe to sideload rastls.dll.” states ProofPoint.
“Regardless of the TTPs, this ongoing APT points to the staying power of NetTraveler and the need for ongoing vigilance and technological protections against advanced persistent threats. Even organizations without direct government ties are potential targets for these types of attacks as smaller agencies or contractors can serve as beachheads in larger campaigns against indirectly related targets,”
(Security Affairs – Cyber espionage, NetTraveler)