NetTraveler

NetTraveler, also known as Travnet, is a cyberespionage threat actor/campaign identified by Kaspersky Lab. The campaign was active since at least 2004-2005, with the largest number of samples created between 2010 and 2013. Kaspersky reported more than 350 high-profile victims across over 40 countries and estimated the total victim count could be around 1,000. Targets included political activists, research centers, government institutions, embassies, military contractors, and private companies. Infection data cited Mongolia as having the highest number of infections, followed by Russia, India, and Kazakhstan. NetTraveler was designed to steal documents and conduct basic computer surveillance. It primarily targeted DOC, XLS, PPT, RTF, and PDF files, with some configurations also targeting CDR, DWG, DXF, CDW, and DWF files. The group used spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2012-0158 and CVE-2010-3333 as the primary infection vector. Kaspersky reported no evidence of zero-day exploitation or rootkits. Related malware used in the campaign included Saker (also known as Xbox) and PCRat (also known as Zegost). NetTraveler malware also reports window names together with keylogger data to provide application context. Kaspersky assessed the NetTraveler cyberespionage group to have around 50 members, most of whom were native Chinese speakers with some knowledge of English. The group’s domains of interest included themes related to space exploration, nanotechnology, energy production, nuclear power, lasers, medicine, and communications. Kaspersky also reported overlap between a small number of NetTraveler victims and victims of the Red October campaign. Additional reporting cited in the content links NetTraveler infrastructure to the C2 domain riaru[.]net, which was used for attacks targeting the CIS and Europe. The same WHOIS email address used for that domain was later noted in infrastructure analysis connected to broader China-linked activity.