{ "id": "02d9ac46-ef7e-47e2-bdd4-4fa3c1b6df21", "created_at": "2026-04-06T00:14:45.316516Z", "updated_at": "2026-04-10T03:32:34.659975Z", "deleted_at": null, "sha1_hash": "acc9346b5fa03d201fb8e10850a1b185088f1221", "title": "NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1889493, "plain_text": "NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan\r\nBy Vicky Ray, Robert Falcone\r\nPublished: 2016-01-21 · Archived: 2026-04-05 17:00:52 UTC\r\nUnit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan\r\nin China. A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in\r\nBeijing, China. In this report, we’ll review how the actors attempted to exploit CVE-2012-0158 to install the\r\nNetTraveler Trojan.\r\nOn December 12, 2015, a spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan. The body\r\nand subject of the email suggests that the email was spoofed to look like it was sent by the Russian Foreign\r\nMinistry and the attachment may contain an official annual report on CHS (Council of Heads of Member States),\r\nwho form the SCO (Shanghai Cooperation Organization).\r\nFilename: “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” (translated to: “2015.12.11_sroki CHS in 2015\r\nUfe.doc.doc”)\r\nBody: “С уважением, ДАТС МИД России” (translated to: “Yours faithfully, ACSD Russian Foreign Ministry”)\r\nIt is interesting to note the reference of Ufa in the file name, as the city of Ufa in Russia hosted the SCO BRICS\r\nSummit on July 9 and 10, 2015. SCO and BRICS (Brazil, Russia, India, China and South Africa) are\r\nintergovernmental international organizations focused on issues of regional security and economic cooperation.\r\nFigure 1 Leaders of member nations at the 2015 Summit in Ufa\r\nTARGETING AND MALWARE ANALYSIS\r\nOur analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 1 of 14\n\nFigure 2 Email containing the malicious attachment\r\nThe malicious attachment “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” is a malicious document created by the\r\nMNKit toolkit and exploits CVE-2012-0158.\r\nUpon successful exploitation, the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique. The NetTraveler trojan has been known to be used in targeted cyber espionage attacks\r\nfor more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate\r\ndata.\r\nThe DLL side-loading attack technique has been gaining adoption within the cyber espionage realm by threat\r\nactors to bypass traditional security systems. Unit 42 also published a blog last year discussing an unrelated attack\r\nwhere the DLL side-loading technique was used.\r\nFigure 3 illustrates the exploitation and the infection flow of the malware.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 2 of 14\n\nFigure 3 Overview of the infection flow\r\nThe document “2015.12.11_сроки СГГ 2015 в Уфе.doc.doc” exploits CVE-2012-0158 to drop a decoy file\r\n“~$.doc” and the actual payload “DW20.exe”. The decoy is a blank document with the meta data stripped.\r\nThe payload (DW20.exe) is a self-extracting (SFX) RAR archive that contains the following files:\r\nRasTls.exe\r\nrastls.dll\r\nSycmentec.config\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 3 of 14\n\nFigure 4 The payload(DW20.exe) is a SFX RAR archive\r\nThe SFX RAR uses the following configuration to launch the embedded executable, which is a legitimate\r\napplication created by Symantec that will side load the rastls.dll DLL:\r\nSetup=RasTls.exe\r\nTempMode\r\nSilent=1\r\nOverwrite=1\r\nThe figure below shows that the config file, ‘Sycmentec.config’ is encrypted.\r\nThe ‘Sycmentec.config’ file can be decrypted using a single byte XOR algorithm using ‘0x77’ as a key.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 4 of 14\n\nFigure 5 Encrypted ‘Sycmentec.config’file\r\nThe ‘rastls.dll’ DLL will load and decrypt this file. The decrypted data starts with shellcode that is responsible for\r\nloading an embedded DLL and executing it.\r\nFigure 6 shows the decrypted ‘Sycmentec.config’file containing an embedded DLL.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 5 of 14\n\nFigure 6 Decrypted ‘Sycmentec.config’ file contains an embedded DLL\r\nThe embedded DLL is the functional payload, which is a variant of the NetTraveler Trojan that has the following\r\nattributes:\r\nSize 52736 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nArchitecture 32 Bits binary\r\nMD5 3e3df4fe831d87d7f52f14933e464fc3\r\nSHA1 cce65a0b67674a313091a947506ceb91d30605ad\r\nSHA256 3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757\r\nssdeep 1536:jxKW1S8mWKFU7U9lYjhjXwVqTvS/G405:wCBmUw9lAhLWqW/G40\r\nimphash 85ce31f87f06b02fec915d33d82958e8\r\nDate 0x564B2B07 [Tue Nov 17 13:26:31 2015 UTC]\r\nCRC:(Claimed) 0x0, (Actual): 0x19be0 [SUSPICIOUS]\r\nPackers Armadillo v1.xx - v2.xx\r\nEntry Point 0x1000970b .text 1/5\r\nTable 1 Attributes of the embedded DLL (NetTraveler)\r\nThe first execution of this NetTraveler Trojan starts off with an installation process. Like previous versions, this\r\nNetTraveler sample writes its configuration to a file, in this case the configuration is written to a file named\r\n\"config.dat\".\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 6 of 14\n\nFigure 7 NetTraveler writes the configuration to ‘config.dat’ file\r\nDuring execution, NetTraveler creates a mutex of ‘YOYWOW!657’, as shown in Figure 8 below to avoid running\r\nmultiple instances of its code.\r\nFigure 8 Mutex created for this NetTraveler payload\r\nThe code then enumerates the 'netsvcs' services, which are services that run within the process space of\r\nsvchost.exe, specifically ignoring services named ‘6to4’ and ‘Ias’ as these services have been used by other\r\nmalware families.\r\nWhen it finds another netsvcs service with a name not matching these two names, it will delete the file associated\r\nwith the service and copy the ‘rastls.dll’ file to that folder using ‘\u003cservice name\u003eve.dll’ as the filename as shown\r\nin Figure 9 below.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 7 of 14\n\nFigure 9 Code enumerating ‘netsvcs’ services\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 8 of 14\n\nFigure 10 Renamed ‘rastls.dll’ DLL\r\n The malware will then change the binary path of the service to point to this new filename and copies the\r\n\"Sycmentec.config\" file to the same folder and the ‘config.dat’ file to the following location:\r\nc:\\windows\\system\\CERTAPL.DLL\r\nThe NetTraveler payload relies on the ‘rastls.dll’ file to obtain its C2 server. At first glance, the NetTraveler\r\npayload appears as if it will use the following URL for its C2 server:\r\nhttp://192.168.3[.]201/downloader2013/asp/downloader.asp\r\nHowever, the NetTraveler payload reads the last ‘0xb0’ bytes from the rastls.dll file and uses it to create the\r\n\"config.dat\" file that is later saved to \"CERTAPL.DLL\". This technique hides the true C2 server from researchers\r\nthat do not have access to both the rastls.dll and Sycmentec.config files.\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 9 of 14\n\nFigure 11 Code snippet showing NetTraveler obtaining its configuration from rastls.dll.\r\nThe configuration file is structured as an \".ini\" file as the Trojan uses GetPrivateProfileStringA to parse the\r\ncontents. The configuration file has the following contents:\r\n[OOOOOO]\r\nU00P=r^?\u003c80\u003e}H\u003e?\u003c88\u003e\u003c89\u003e\u003c8A\u003eB\u003c8B\u003e\u003c85\u003e|\u003c86\u003e\u003c87\u003e\u003c89\u003e\u003c91\u003e\u003c8B\u003e\u003c90\u003e\u003c92\u003e\u003c88\u003eN\u003c84\u003e\u003c91\u003e\r\n\u003c90\u003eS\u003c94\u003e\u003c96\u003e\u003c9B\u003e\u003c8C\u003e\u003c8E\u003e\u003c9E\u003eZ\u003c95\u003e\u003c9B\u003e\u003c92\u003e\u003c94\u003e\u003cA8\u003e_\u003c93\u003e\u003cA6\u003e\u003cA4\u003e\r\nK00P=XLMNOPQRSTUVWXYZ[\\]^_`abcdefghiv\r\nP00D=5\r\nF00G=True\r\nMM1=0\r\nMM6=1\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 10 of 14\n\nUnit 42 analyzed the sample and found the following configuration fields that could appear in the CERTAPL.DLL\r\nconfiguration file and a brief description of each field:\r\nU00P = C2 URL\r\nK00P = Key for DES\r\nP00D = Sleep interval in minutes\r\nF00G = Boolean to determine if sample should use proxy to communicate with C2 server\r\nMM1 = 0 or 1 if proxy is configured or not.\r\nMM3 = Port for configured proxy\r\nMM4 = Username for configured proxy\r\nMM5 = Password for configured proxy\r\nMM6 = 1 if Trojan is installed correctly\r\nThe \"U00P\" and \"K00P\" values are decrypted using a simple algorithm that subtracts the index and then subtracts\r\nten from each character, which is depicted in the following:\r\ndef subtraction_algo(ct):\r\n  out = \"\"\r\n  i = 0\r\n  for e in ct:\r\n    out += chr(ord(e)-i-10)\r\n    i += 1\r\n  return out\r\nThese two fields decrypt to the following, the U00P value being the C2 URL and the K00P value being the basis\r\nfor an encryption key for the DES algorithm:\r\nU00P: http://www.voennovosti.com/optdet/index.asp (decrypted)\r\nK00P: NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM (decrypted)\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 11 of 14\n\nThe C2 server will respond to requests issued by the Trojan with commands to carry out activities on the\r\ncompromised system. We analyzed the code within NetTraveler that handles commands issued by the C2 server\r\nand found four available commands that are listed in Table 2.\r\nCommand Description\r\n\u003cUnique System\r\nID\u003e:UNINSTALL\r\nDeletes %APPDATA%\\cert2013.dat and %STARTUP%\\consent.lnk and exits\r\nthe process. This attempts to uninstall the Trojan, but will not work as the\r\nfilenames are not used by this version of NetTraveler\r\n\u003cUnique System\r\nID\u003e:RUN_REBOOT\r\nReboots the system\r\n\u003cUnique System\r\nID\u003e:RUN_STARTUP\r\nDownloads a file to %TEMP%\\Temp.bmp and copies it to the startup folder\r\n\u003cUnique System\r\nID\u003e:RUN_DIRECT\r\nDownload a file to %TEMP%\\tmp.bmp and execute it\r\nTable 2 Commands available within NetTraveler and a description of their functionality\r\nINFRASTRUCTURE\r\nAt the time of analysis, the domain voennovosti[.]com was resolving to IP ‘98.126.38[.]107’, which is hosted by\r\nKrypt Technologies. A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers\r\nwere being hosted by Krypt Technolgies. This web hosting service provider continues to be the hosting provider\r\nof choice for the threat actors behind NetTraveler.\r\nFigure 12 DNS query for voennovosti[.]com resolves to ‘98.126.38.107’\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 12 of 14\n\nFigure 13 Encoded network communications\r\nCONCLUSION\r\nNetTraveler has been used to target diplomats, embassies and government institutions for over a decade, and\r\nremains the tool of choice by the adversaries behind these cyber espionage campaigns. The use of NetTraveler for\r\nsuch a long period of time shows its effectiveness and success by the adversaries in targeting their victims with\r\nimpunity.\r\nAs seen in this case, the threat actors continue to evolve and employ new techniques within their modus operandi,\r\nlike ‘DLL side-loading’ to install malware. It is likely that the use of ‘DLL side loading’ attack technique will\r\nincrease due to it’s effectiveness to bypass traditional security systems.\r\nIt is essential to raise awareness on such attacks to better protect organizations from adversaries who maybe\r\nbacked by nation states.\r\nWildFire correctly classifies NetTraveler as malicious. AutoFocus tags are created to identify NetTraveler samples\r\nand respective IOCs are added to Palo Alto Networks Threat Prevention.\r\nINDICATORS\r\nSHA256 Hash File Name\r\n3f4fcde99775b83bc88d30ca99f5c70c1dd8b96d970dbfd5a846b46c6ea3e534\r\n2015.12.11_сроки СГГ\r\n2015 в Уфе.doc.doc\r\n001fff6c09497f56532e83e998aaa80690a668883b6655129d408dd098bd1b4b DW20.exe\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 13 of 14\n\n74db11900499aa74be9e62d51889e7611eb8161cd141b9379e05eeca9d7175c9 rastls.dll\r\n8f6af103bf7e3201045ce6c2af41f7a17ef671f33f297d36d2aab8640d00b0f0 Sycmentec.config\r\n495bb9c680f114b255f92448e784563e4fd34ad19cf616cc537bec6245931b7e config.dat\r\n41650cb6b4ae9f06c92628208d024845026c19af1ab3916c99c80c6457bd4fa9 CERTAPL.DLL\r\n3b4e4d7a0b1185a45968d90ffe6346f4621116d14dbf88b5138040acc022c757 (NetTraveler DLL payload)\r\nCommand and Control\r\nvoennovosti[.]com\r\n98.126.38[.]107\r\nREFERENCES\r\nhttps://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/\r\nhttps://www.fireeye.com/blog/threat-research/2014/04/dll-side-loading-another-blind-spot-for-anti-virus.html\r\nhttp://blog.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung-application-for-dll-side-loading/\r\nhttp://indianexpress.com/article/business/business-others/10-years-on-sco-decides-to-induct-india-as-full-member/\r\nhttps://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation\r\nhttp://ufa2015.com/\r\nSource: https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nhttps://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/" ], "report_names": [ "nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775791954, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acc9346b5fa03d201fb8e10850a1b185088f1221.pdf", "text": "https://archive.orkl.eu/acc9346b5fa03d201fb8e10850a1b185088f1221.txt", "img": "https://archive.orkl.eu/acc9346b5fa03d201fb8e10850a1b185088f1221.jpg" } }