Pro-Tibet groups targeted with ExileRAT in spy campaign

The cyberespionage scheme makes use of a mailing list operated by the Tibetan government-in-exile.

Gozi banking trojan employs botnet for maximum damage Botnet distribution added to attacks which are crafted to hijack email threads - by attackers who are now experimenting with also delivering crytpocurrency mining malware.

Researchers have uncovered a new cyberespionage campaign which is targeting pro-Tibetan individuals in order to distribute the ExileRAT Trojan.

On Monday, researchers from Cisco Talos said that the new campaign delivers a malicious Microsoft PowerPoint document containing the Remote Access Trojan (RAT) which is capable of stealing system and personal information, terminating or launching processes, surveillance and the theft of files.

The malware is being spread through a "Tibetan News" mailing list belonging to the Central Tibetan Administration (CTA), an organization which is representing the Tibetan government-in-exile.

See also: NanoCore Trojan is protected in memory from being killed off

The list is used to contact supporters and is operated through India-based DearMail. Talos says that the attackers were able to modify the standard Reply-to header so responses would be sent back to an email address managed by the scammers.

The malicious email references the upcoming 60th anniversary of the Dalai Lama's exile and it is believed every subscriber has received the phishing message.

Recipients of emails sent through the targeting phishing scheme are presented with a .PPSX file which is loaded with an exploit for CVE-2017-0199, an arbitrary code vulnerability in Microsoft Office which was patched in 2017.

CNET: Apple stores Russian users' data on Russian servers, report says

The PowerPoint document is a copy of the legitimate "Tibet-was-never-a-part-of-China" presentation which was published in November 2018 by the CTA.

screenshot-2019-02-05-at-09-26-30.png

Cisco Talos

The .PPSX file contains a dropper which pulls the Trojan from its command-and-control (C20 server for execution on a vulnerable system.

Interestingly, Talos found that the C2 connected to this campaign has also been linked to the LuckyCat Android- and Windows-based Trojans in the past.

LuckyCat is believed to be the work of pro-Chinese threat actors in pursuit of information belonging to Tibetan activists. An IP address connected to LuckyCat has also been linked to a Mac Trojan spotted in the wild in 2012.

TechRepublic: 3 ways state actors target businesses in cyber warfare, and how to protect yourself

"Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain," Talos says. "This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons."

In November, the same team of researchers published an investigation into Persian Stalker, a potentially state-sponsored threat group which is targeting Iranian users of Telegram, an app banned in the country. Phishing is taking place alongside the takeover of the Border Gateway Protocol (BGP) to reroute Internet traffic, an attack that average users cannot defend themselves against. 

Previous and related coverage