Security Experts:

Gh0stRAT Variant Used in Targeted Attacks Against Organizations in Tibet

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Gh0stRAT Variant used in Targeted Attacks Against Organizations in TibetTowards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters. The attacks were given the name Nitro, and they leveraged Phishing and a PDF exploit to target a vulnerability in Windows. However, what made headlines was the payload, a Remote Access Trojan called Gh0st (Gh0stRAT), a relative of the Poison Ivy trojan. At least 48 companies were believed to have been targeted in the Nitro attacks.

According to Alienvault, the spear phishing campaign currently targeting Tibetan activist organizations is focusing the Kalachakra Initiation, which is a Tibetan religious festival that took place in early January. In addition, the malicious payload being delivered in this latest attack is a variant of Gh0stRAT, which exploits a known Office vulnerability.

Moreover, the attack leverages a digitally signed payload, including a VeriSign certificate that was revoked in December. The attack also uses obfuscation methods that help it avoid IDS appliances and other protective measures – including AV. Detections are still low when it comes to the email and payload.

“It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons,” wrote Jaime Blasco.

“It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”

The full report, including an overview of the technical details is here.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.