MNKit & NetTraveler Variants

NetTraveler (also known as “Travnet” or “Netfile”) is a data-stealing utility leveraged by Chinese APT actors against high profile targets including diplomatic officials and military organizations. The malware has been used since 2013 to infect numerous victims in over 40 countries. Recently in April 2016, a new variant of the NetTraveler malware was observed in a campaign targeted against Uyghur and Russian organizations. The attacks also leveraged weaponized Office documents created by the MNKit malicious document generator.

This report provides analysis and mitigations on MNKit dropper and NetTraveler malware.  Wapack Labs is providing this analysis as situational awareness of an ongoing APT campaign.

Attribution/Threat Actors: Hammer Panda, TA459

Actor type:  Adversary capabilities have been assessed as Tier V – State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.

Indicators: 

• https://www.threatrecon.co/search?keyword=FR16-018
• redsky.soltra.com

The full report and previous reporting can be viewed in the Red Sky Alliance portal.

Analyst: Mike Murray

Publication Date: 16 June 2016; information cutoff date: 1 June 2016