The attacks began with a spear phishing campaign related to a Tibetan religious festival held in January; the attackers used a contaminated Office file to exploit a known vulnerability in Microsoft, explained Jaime Blasco, manager of AlienVault Labs.
In an interview with Infosecurity, Blasco said that the attacks are targeted at the Central Tibetan Administration (the Tibetan government in exile), International Campaign for Tibet, as well as other Tibetan organizations and individuals. “We detected that they were sending spear phishing emails to key people at these organizations with files that contain an exploit that drops a payload on the victim’s computer”, he explained.
These attacks share code and IP addresses with the Nitro attacks last year that originated from China and targeted chemical and defense firms. “We were able to link these attacks against the Tibetan government with the Nitro attacks last year”, Blasco said.
The goal of the attacks is to gather information from these organizations by stealing documents and activating the microphones on computers and laptops. “They can do whatever they want” once the malware is installed, he explained.
In an AlienVault Labs blog, Blasco explained that the malware is a variant of Gh0st RAT, which was the primary tool used in the Nitro attacks. The Tibetan attacks are exploiting a known Microsoft Office stack overflow vulnerability to deploy the malware.
“Just for good measure, the malware is digitally signed, giving it an extra layer of authenticity,” although the certificate had been revoked by VeriSign last year, Blasco explained.
The malware “uses a staged XOR loader, which then resolves imports by hashes (a common technique), with the embedded payload encrypted using a 256-byte XOR key. This allows the payload to obfuscate itself from most security systems and software, including IDS appliances”, Blasco wrote.