Analyse vonCyril Coronado

The NetTraveler campaign is a series of malware spam attacks used against different companies and governmental institutions. Included in this list are the Tibetan/Uyghur activists. Recently, we received a spammed mail which is part of this campaign that targeted the Regional Tibetan Youth Congress.

The attack used was in a form of spam email which contains a short message, has a Microsoft Word document as an attachment and is addressed to the organization located in Mundgod, India. To make the attack appear legitimate, the mail sample purports itself to be sent by an email address owned by The Global Times. Further investigation revealed that the source was not The Global Times but a different domain entirely. The attached document is also verified as malicious.

The email and the malicious file are detected as TROJ_ARTIEF.PRM and concurrently blocked.
 Spam gesperrt am/um:: 25 Juni 2013 GMT-8
 TMASE
  • TMASE Engine::7.0
  • Patrón TMASE: 9972