The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.
The spear phishing emails contain a malicious file spamvertised as Camp information at Bodhgaya.doc, which upon execution attempts to exploit CVE-2010-3333.
What's particularly interesting about this targeted malware attack, is the fact that the malware is digitally signed, with the certificate issued to Qingdao Ruanmei Network Technology Co., Ltd.” by Verisign. Thankfully, the certificate has been revoked by VeriSign on 12th Dec.
Once a successful infection takes place, the malware phones back to the following command and control locations:
220.127.116.11 – China Unicom IP network
18.104.22.168 – China Unicom Liaoning province network
22.214.171.124 – CHINANET liaoning province network
With segmented databases of harvested emails for a particular country available for purchase within the cybercrime ecosystem, it shouldn't be surprising that the entry barriers in launching a targeted malware attack are constantly getting lower. Next to freely available RATs (Remote Access Trojans) the cybercriminals engaging in cyber espionage are also known to to actively outsource their campaign needs to third-party providers of managed cybercrime-as-a-service market propositions.