Security experts at Talos group have uncovered a malware campaign using the ExileRAT backdoor to target the mailing list of the organization officially representing the Tibetan government-in-exile.
Threat actors are delivering the malware via a weaponized Microsoft PowerPoint document, the messages are reaching people in a mailing list run by the Central Tibetan Administration (CTA).
The nature of malware and the targets suggests the involvement of
Given the nature of the threat and the targets, the campaign was likely designed for espionage purposes, Talos’ security researchers say.
The bait PowerPoint document is a copy of a legitimate PDF available on CTA’s website, it was sent by attackers to all subscribers to the CTA mailing list,
“Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.” reads the analysis published by Talos.
“The document used in the attack was a PPSX file, a file format used to deliver a non-
The experts received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China
The weaponized documents exploit the CVE-2017-0199 flaw, a zero-day
arbitrary code execution vulnerability fixed by Microsoft in April 2017 and that has been actively exploited in attacks in the wild.
The exploit code used by the attackers originated from a public script available on GitHub, researchers noticed that the PPSX also attempts to contact
The malicious code is executed via
similar to the legitimate system task name “Diagnostic System Host” without the “_” (underscores).
The ExileRAT used in this campaign support commands to retrieve system information (i.e. computer name, username, listing drives, network adapter, and process names), exfiltrate data and and execute or terminate processes.
Talos pointed out that C2 infrastructure has been used in multiple campaigns, including attacks against Tibetan activists leveraging a newer version of the LuckyCat Android RAT.
“This newer version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing.” continues the report.
Experts conclude that this new campaign represents an “evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” Talos says.
The good news is that attackers leveraged an old issue that could be easily detected by up-to-date defense systems.