NetTraveler Attackers Using PRISM Program as Bait

ID THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4
Type threatpost
Reporter Dennis Fisher
Modified 2018-03-22T14:58:21


Never let it be said that attackers don’t keep up with the news. The crew behind the NetTraveler cyberespionage attacks is now using the news about the NSA’s PRISM surveillance program as bait in a new spear-phishing campaign.

Security researcher Brandon Dixon of 9bplus came across a malicious email this week that plays off the recent spate of news stories about the leaked data on the National Security Agency’s PRISM program, which is designed to gather data on users from a variety of large Internet companies, reportedly including Microsoft, Apple, Google and others. The email is designed to look like it was sent by Jill Kelley, the woman who helped expose the affair that David Petraeus was having.

Dixon said that the message was targeted at someone involved with the Regional Tibet Youth Congress in India and included a malicious Word document that had many of the earmarks of the tactics used by the NetTraveler attackers.

“The attachment is a Word document labeled ‘Monitored List 1.doc’, exploiting the always favored CVE-2012-0158 and can be tied back to the same actors involved in the NetTraveler campaigns brought to light by Kaspersky. It’s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed. Again, this sort of behavior shows poor operational security or a complete lack of care,” Dixon wrote in his analysis of the email.

The text of the email is crammed with somewhat nonsensical text mentioning the NSA PRISM program, Edward Snowden, the former NSA contractor responsible for the leaks, and the CIA. Once the malicious Word document is opened on a target machine, it writes several files to the hard drive, including one named “dw20.exe”, which has been seen in use by the NetTraveler crew in the past. Dixon said he wasn’t able to identify the IP address or command and control server associated with the email campaign, but he believes there are likely additional emails out there like the one he found.

“Whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008′s and I doubt they will be stopping anytime soon,” Dixon said.

Kurt Baumgartner, a security researcher at Kaspersky Lab who did some of the original research on the NetTraveler campaign, said the group behind the attacks is oddly incautious in its tactics.

“These groups are surprisingly bold. Not only did we see this group maintain backdoors on their victim systems alongside Red October backdoors, but the NetTravler infrastructure continues to be in active use even after the operation has moved out of the shadows and into the public light,” he said.

_Image from Flickr photos of LadyDragonflyCC. _