Researchers intercept targeted malware attack against Tibetan organizations

Researchers intercept targeted malware attack against Tibetan organizations

Summary: Security researchers from AlienVault Labs have intercepted a currently circulating targeted malware attack aimed at Tibetan activist organizations.

SHARE:
TOPICS: Security, Malware
1

Security researchers from AlienVault Labs have intercepted a currently circulating targeted malware attack aimed at Tibetan activist organizations, including the Central Tibet Administration and International Campaign for Tibet.

More details:

The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.

The spear phishing emails contain a malicious file spamvertised as Camp information at Bodhgaya.doc, which upon execution attempts to exploit CVE-2010-3333.

What's particularly interesting about this targeted malware attack, is the fact that the malware is digitally signed, with the certificate issued to Qingdao Ruanmei Network Technology Co., Ltd.” by Verisign. Thankfully, the certificate has been revoked by VeriSign on 12th Dec.

Once a successful infection takes place, the malware phones back to the following command and control locations:

  • 218.106.193.184 – China Unicom IP network
  • 218.61.72.178 – China Unicom Liaoning province network
  • 59.44.49.88 – CHINANET liaoning province network

With segmented databases of harvested emails for a particular country available for purchase within the cybercrime ecosystem, it shouldn't be surprising that the entry barriers in launching a targeted malware attack are constantly getting lower. Next to freely available RATs (Remote Access Trojans) the cybercriminals engaging in cyber espionage are also known to to actively outsource their campaign needs to third-party providers of managed cybercrime-as-a-service market propositions.

With Tibet's current geopolitical position, the country is a common target for cyber espionage campaigns launched by Chinese hacktivists, thanks to the China's government tolerance on homeland grown hacktivist communities, like for instance China's Blue Army.

Topics: Security, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • blind eye to android market: super majority of apps are malware

    android market is filled with the adware variety of malware with sprinkling of apps that mirror contact information

    apps are either free or not. labeling adware as free is vile. the COST in privacy is tantamount to a*s r*pe
    smsfail