NetTraveler

NetTraveler, also known as Travnet, is a Trojan used in long-running targeted cyberespionage operations. Kaspersky reported the broader NetTraveler campaign compromised more than 350 high-profile victims across over 40 countries over roughly eight years, with total victims estimated at around 1,000. Victims included political activists, research centers, government institutions, embassies, military contractors, private companies, weapons manufacturers, human-rights activists, and pro-democracy groups. Reported geographic targeting included Mongolia, Russia, India, Kazakhstan, Belarus, and other European countries.

NetTraveler is designed primarily for document theft and basic computer surveillance. It steals documents including DOC, XLS, PPT, RTF, and PDF files; some configurations also targeted CDR, DWG, DXF, CDW, and DWF files. The malware includes keylogging capability and reports window names together with keylogger data to provide application context.

Observed delivery commonly relied on spear-phishing. Reported infection vectors included malicious Microsoft Word documents exploiting CVE-2012-0158 and CVE-2010-3333, as well as links to RAR-compressed self-extracting executables hosted on lookalike news and military-themed domains. Some exploit documents were built with MNKit. Proofpoint reported the actor used victim-relevant geopolitical, military, and energy-themed lures based on real news articles.

NetTraveler has been observed using DLL side-loading with legitimate signed executables such as fsguidll.exe and RasTls.exe to load malicious DLLs including fslapi.dll or rastls.dll. It used a dropped configuration file, config.dat, containing parameters such as U00P for C2, K00P for DES key, P00D for sleep time, and F00G for proxy settings. An example configuration referenced the path hxxp://www.tassnews[.]net/revenge/dk/downloader.asp.

The malware and campaign were associated in reporting with China-linked espionage activity. Kaspersky assessed the NetTraveler group had around 50 members and that most were native Chinese speakers with some English knowledge. Proofpoint assessed a related operator targeting Russia and neighboring countries likely operated out of China. Infrastructure overlaps were reported between NetTraveler and later ZeroT/PlugX activity, including shared C2 domains such as www.tassnews[.]net, www.riaru[.]net, and www.versig[.]net. Additional domains associated with NetTraveler activity included www.interfaxru[.]com, www.voennovosti[.]com, www.info-spb[.]com, and www.mogoogle[.]com; one reported IP was 103.231.184[.]164.

NetTraveler was first observed as early as 2004, with earliest identified samples timestamped 2005 and the largest number of samples created between 2010 and 2013. Kaspersky analyzed command-and-control logs dating back to 2009 and reported more than 22 GB of stolen data stored on NetTraveler servers, noting this represented only a fraction of the total exfiltrated data. Securelist also cited NetTraveler among malware families that have used steganography.