Threat Intelligence, Incident Response, Malware, TDR

Buggy Word programs still exploit of choice for persistent data-stealing groups

A malicious toolkit, called NetTraveler, is being leveraged in a cyber espionage campaign targeting hundreds of organizations around the globe – and attackers are using two commonly exploited flaws in Microsoft Word to steal corporate data.

On Tuesday, researchers at Kaspersky Lab released an analysis about the NetTraveler toolkit, which is capable of exfiltrating data – like file system listings, PDFs and Excel and Word documents – from infected machines.

According to the security firm, the campaign has been active since early 2004, though the majority of infections occurred in the last three years. Throughout the extensive campaign, the NetTraveler group has infected 350 victims in 40 countries in which government and military organizations, activists, oil and gas companies and research centers were the primary targets.

Victims have mostly been in Mongolia, Russia and India, but organizations in the United States are among those impacted.

Between 2010 and 2013 – the period of time when researchers saw the most cyber espionage activity – the group has stolen data belonging to organizations in the space exploration, nanotechnology, medicine, communications and nuclear power and energy production industries.

Since 2004, researchers estimate that more than 22 gigabytes of stolen data has been stored on the NetTraveler group's command-and-control servers.

To deliver the malicious toolkit, which also installs other information-stealing malware once downloaded onto victims' computers, attackers deliver spear phishing emails that are carefully crafted to lure the intended target into opening weaponized, attached documents.

Perpetrators email Microsoft Word documents to their targets and exploit two vulnerabilities, CVE-2012-0158 and CVE-2010-333, to rig the attachments with the NetTraveler toolkit.

The flaws, for which Microsoft has already released patches, were also used to deliver the Rocra trojan in a five-year-long espionage campaign, called Red October, which was uncovered by Kaspersky in January.

Researchers say the Red October and NetTraveler campaigns weren't staged by the same group. However, as a Russian-speaking alliance was thought to be behind Red October. Kaspersky believes some 50 individuals, whose native language is Chinese, are operating the NetTraveler spy ring.

In an email Tuesday, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said that the Word exploits are frequently used by attackers simply because they are easy to leverage.

“Exploits targeting CVE-2012-0158 and CVE-2010-3333 generally are reliable, easily built by a number of exploit generation kits, and target the almost ubiquitous Microsoft Office suite that appears to be poorly maintained at many targeted organizations,” Baumgartner said.

Weaponized documents also “fit well into social engineering and spear phishing schemes” – often used by groups to gain access to corporate data, he said.

The NetTraveler campaign is another prime example of how cyber espionage groups continue to rely on businesses' inadequate patching practices to easily infiltrate organizations.

“Witnessing how effectively these security holes have been abused for the past couple of years is a real concern,” Baumgartner said. “It's unfortunate that many organizations do not have the resources or expertise to support their networks adequately.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.