The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized by a low detection rate. This RAT has previously been used by different threat actors in targeted attacks and also in cyber criminal campaigns.
“After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.” wrote ESET in a blog post.
The attack scheme is not different from other targeted attacks, threat actors sent spear phishing email to the victims, the messages, supposedly from “Tibet Press,” proposed to the victims the participation to a “rally for Tibet”. The email had a Word document attached that is used by attackers to exploit the CVE-2012-0158 and drop on the victims’ machine the Gh0st RAT.
Once the victims have opened the document, the Gh0st RAT would try to connect to the following two domains:
in addition, according to the experts the second domain has been used in targeted attacks in the past.
In time I’m writing the researchers to do not have information related to the nature of the actors behind the attacks.
(Security Affairs – Gh0st RAT, cyber espionage)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.