Top 5 Stories


Tibetan groups targeted by Chinese attackers

19 March 2012

Tibetan organizations are under attack from Chinese spear phishers who were also behind the Nitro attacks that targeted Western chemical and defense firms last year, according to research by AlienVault.

The attacks began with a spear phishing campaign related to a Tibetan religious festival held in January; the attackers used a contaminated Office file to exploit a known vulnerability in Microsoft, explained Jaime Blasco, manager of AlienVault Labs.

In an interview with Infosecurity, Blasco said that the attacks are targeted at the Central Tibetan Administration (the Tibetan government in exile), International Campaign for Tibet, as well as other Tibetan organizations and individuals. “We detected that they were sending spear phishing emails to key people at these organizations with files that contain an exploit that drops a payload on the victim’s computer”, he explained.

These attacks share code and IP addresses with the Nitro attacks last year that originated from China and targeted chemical and defense firms. “We were able to link these attacks against the Tibetan government with the Nitro attacks last year”, Blasco said.

The goal of the attacks is to gather information from these organizations by stealing documents and activating the microphones on computers and laptops. “They can do whatever they want” once the malware is installed, he explained.

In an AlienVault Labs blog, Blasco explained that the malware is a variant of Gh0st RAT, which was the primary tool used in the Nitro attacks. The Tibetan attacks are exploiting a known Microsoft Office stack overflow vulnerability to deploy the malware.

“Just for good measure, the malware is digitally signed, giving it an extra layer of authenticity,” although the certificate had been revoked by VeriSign last year, Blasco explained.

The malware “uses a staged XOR loader, which then resolves imports by hashes (a common technique), with the embedded payload encrypted using a 256-byte XOR key. This allows the payload to obfuscate itself from most security systems and software, including IDS appliances”, Blasco wrote.

This article is featured in:
Application Security  •  Data Loss  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×