APT actors trying to use the G20 2014 summit as a lure to compromise Tibetan nongovernmental organizations (NGOs) with Gh0st RAT.
Security experts at ESET uncovered a new series of cyber attacks that targeted Tibetan nongovernmental organizations (NGOs) concurrently with the G20 2014 summit in Brisbane, Australia.
The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized by a low detection rate. This RAT has previously been used by different threat actors in targeted attacks and also in cyber criminal campaigns.
“After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.” wrote ESET in a blog post.
The attack scheme is not different from other targeted attacks, threat actors sent spear phishing email to the victims, the messages, supposedly from “Tibet Press,” proposed to the victims the participation to a “rally for Tibet”. The email had a Word document attached that is used by attackers to exploit the CVE-2012-0158 and drop on the victims’ machine the Gh0st RAT.
Once the victims have opened the document, the Gh0st RAT would try to connect to the following two domains:
in addition, according to the experts the second domain has been used in targeted attacks in the past.
In time I’m writing the researchers to do not have information related to the nature of the actors behind the attacks.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.