Wednesday, March 21, 2012

Targeted Attacks Against Tibet Organizations

Via Alien Vaults Labs (March 13, 2012) -

We recently detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. We believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.

It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.

Below is a detailed analysis of one of the dozens of campaigns that we’ve been tracking, which illustrates the method used by the attackers and the possible connection to the Nitro attacks.

These latest attacks are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spear phishing emails are not that sophisticated and feature a Microsoft attachment (Camp information at Bodhgaya.doc) that exploits a known Office stack overflow vulnerability (CVE-2010-3333).


Examining the resultant traffic confirms the code to be a variant of the Gh0st RAT (remote access trojan) using a data string of `ByShe’ in place of the more usual `Gh0st.’


We have found more samples using this modified header (“ByShe”):

It is worth noting that the sample – 4a35488762f70170dc0d3f46f94a7bcb – connects to using the `ByShe’ protocol, which was seen during the Nitro attacks we saw between April and November of last year.

This sample was used during the NitroAttacks last year, a targeted attack against chemical and defense companies that was traced to China.

No comments:

Post a Comment