Today, Kaspersky published a paper titled “The NeTTraveler (aka ‘TravNeT’).” The paper provides analysis on a targeted attack campaign that is targeting various organizations worldwide, such as governments, industries, and non-government organizations. This research is related to the McAfee blog “Travnet Trojan Could Be Part of APT Campaign” released earlier in March about a campaign we have been monitoring as well. We have the following antivirus coverage in place for this threat:
We also provide the following IPS coverage:
- System Infected: Trojan.Travnet
- Web Attack: Microsoft Common Controls CVE-2012-0158
- Attack: MS Office Word RTF Exploit CVE-2010-3333
The identified infection vector of this campaign is spear phishing emails with specially crafted attachments in rich text format (RTF). We have observed malicious files in RTF format that exploit Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and Microsoft Office RTF File Stack Buffer Overflow Vulnerability (CVE-2010-3333), both patched vulnerabilities in Microsoft Office and other Microsoft products. We have seen similar behavior from these files: exploitation of Microsoft Word to drop a file we detect as Trojan.Mdropper.
Once exploited malware is dropped which, in turn, drops other files and steals information from targets and sends it back to the attackers’ command-and-control (C&C) server. Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Trojan.Travnet.
Users should ensure that software applications are up to date, and avoid clicking on suspicious links or opening suspicious email attachments. To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.