14 DAY TRIAL // A Chinese threat actor has been busy all year conducting a complex spear-phishing campaign aimed mainly at Russian targets, but also neighboring countries such as Belarus and Mongolia.
The APT behind these attacks has been using two sorts of spear-phishing emails.
One contains links to fake news sites where a drive-by download places an RAR-compressed executable on the victim's computer. The second spear-phishing tactic was to attach Word documents containing an exploit that used the CVE-2012-0158 vulnerability to infect the targeted host.
Both approaches dropped the ancient yet still very efficient NetTraveler malware on the victim's PC. Kaspersky discovered NetTraveler in 2013, but security researchers say it was actually developed back in 2004, when other samples were also found.
NetTraveler, a classic tool used by Chinese threat actors
NetTraveler has been tied historically to China-based cyber-espionage groups and has been used as a backdoor to find and exfiltrate data from infected systems.
These recent attacks with NetTraveler and the attention paid to the way the spear-phishing campaign was executed show an experienced actor behind the attacks.
The group operated by registering custom domains and then hosting copies of legitimate articles on these sites, along with the NetTraveler malware, packaged for watering hole attacks.
New evidence shows ties to China (again)
Security firm Proofpoint discovered multiple of these fake news sites and even managed to break into one of the group's C&C servers. Inside they found data on attacks on victims in Russia, Mongolia, Belarus, and other of Russia's European neighbors.
Researchers discovered that many of these fake news sites were registered with the same registrar, a company from Beijing called Shanghai Meicheng Technology Information Development Co., Ltd.. For all domains, the group used a 4-6 letter Yahoo or Gmail account.
Additionally, the IP address 98.126.38.107 resolved to attacks detected in another cyber-espionage campaign against Russian entities from early 2015, tied to Chinese cyber-espionage group TA459.
Recent NetTraveler attacks part of a grander cyber-espionage campaign
Proofpoint says that NetTraveler malware samples were generated with the MNKit malware builder. Last week, Palo Alto Networks tied together different cyber-espionage campaigns to this malware building kit, such as the ones that used the LURK and Saker malware.
All campaigns led back to Chinese threat actors and used the CVE-2012-0158 vulnerability, as in Proofpoint's report. This attack is part of a long-lasting and coordinated cyber-espionage campaign that has targeted in the past Chinese minorities and the Russian military using the same tools and techniques.
For this campaign, the group used spear-phishing lures related to nuclear energy, military training, or geopolitics, but targeted a broad set of individuals and organizations, such as weapons manufacturers, human rights activists, and pro-democracy groups.