The “Red Star” APT group employing the NetTraveler malware family is still active, but has changed its modus operandi.
Its targets remain the same: government institutions, embassies, the oil and gas industry, research centers, military contractors and activists.
“Immediately after the public exposure of the NetTraveler operations, the attackers shutdown all known C2s and moved them to new servers in China, Hong Kong and Taiwan,” noted Kaspersky Lab’s Costin Raiu. “However, they also continued the attacks unhindered.”
The latest round of attacks targets Uyghur activists. Last week, a number of spear-phishing emails have been spotted by the company, purportedly carrying a link pointing to a statement made by the World Uyghur Congress regarding a recent massacre.
Unfortunately, when the victims follow the link, they are taken to a known NetTraveler-related domain, where an exploit for a known and patched Java vulnerability (CVE-2013-2465) is used to drop a backdoor on to their computer. The malware collects information from it and sends it to a previously unknown C&C server.
Another way the group targets those same activists is by compromising the official website of an Uyghur-related website (in this case, the one belonging to the Islamic Association of Eastern Turkistan) and make it redirect to the aforementioned NetTraveler-related domain, where the same infection chain is repeated.
“The usage of the Java exploit for CVE-2013-2465 coupled with watering hole attacks is new, previously unseen development for the NetTraveler group,” Raiu points out.
Still, the group has yet to be seen exploiting zero-day vulnerabilities, so for now keeping one’s OS, Java and other software updated is enough to prevent becoming a victim.