NetTraveler (also known as “Travnet” or “Netfile”) is a data-stealing utility leveraged by Chinese APT actors against high profile targets including diplomatic officials and military organizations. The malware has been used since 2013 to infect numerous victims in over 40 countries. Recently in April 2016, a new variant of the NetTraveler malware was observed in a campaign targeted against Uyghur and Russian organizations. The attacks also leveraged weaponized Office documents created by the MNKit malicious document generator.
This report provides analysis and mitigations on MNKit dropper and NetTraveler malware. Wapack Labs is providing this analysis as situational awareness of an ongoing APT campaign.
Attribution/Threat Actors: Hammer Panda, TA459
Actor type: Adversary capabilities have been assessed asTier V – State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.