The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized by a low detection rate. This RAT has previously been used by different threat actors in targeted attacks and also in cyber criminal campaigns.
“After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.” wrote ESET in a blog post.
The attack scheme is not different from other targeted attacks, threat actors sent spear phishing email to the victims, the messages, supposedly from “Tibet Press,” proposed to the victims the participation to a “rally for Tibet”. The email had a Word document attached that is used by attackers to exploit the CVE-2012-0158 and drop on the victims’ machine the Gh0st RAT.
Once the victims have opened the document, the Gh0st RAT would try to connect to the following two domains:
in addition, according to the experts the second domain has been used in targeted attacks in the past.
In time I’m writing the researchers to do not have information related to the nature of the actors behind the attacks.
(Security Affairs – Gh0st RAT, cyber espionage)