The name of this malware is based on the fact that early versions of it contained the string "NetTraveler is Running!". It is used by attackers for advanced persistent threats to survey their victims. It can transfer large amounts of private information from systems of victims to C&C servers, functioning as a trojan horse and backdoor to these systems.
Spear-phishing with Office documents like MS Word documents is used to infect vulnerable systems, targeting the CVE-2012-0158 and CVE-2010-3333 vulnerabilities. The attackers use news articles that are relevant to their targets for their spear fishing.
Kaspersky Lab found that certain victims that were infected with NetTraveler were also infected by Red October, although no direct relation with this malware was established. The multiple infections might be accounted for by the fact that these were high-profile victims like government agencies, nuclear power installations and embassies in dozens of countries.
According to Kaspersky Lab, NetTraveler is used by a medium-sized threat actor group from China.
- "NetTraveler APT Targets Russian, European Interests". Proofpoint. July 7, 2016. Archived from the original on July 4, 2017.
- "The NetTraveler (a.k.a. 'Travnet')" (PDF). Kaspersky Lab. Archived (PDF) from the original on July 4, 2017.
- "How to Remove NetTraveler Completely From Your PC?". pc-remover.com. Archived from the original on July 4, 2017.
- Constantin, Lucian. "Cyberespionage campaign 'NetTraveler' siphoned data from hundreds of high-profile targets". CSO Online. Retrieved 2018-03-29.