Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Gh0stRAT Variant Used in Targeted Attacks Against Organizations in Tibet

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Gh0stRAT Variant used in Targeted Attacks Against Organizations in TibetTowards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters. The attacks were given the name Nitro, and they leveraged Phishing and a PDF exploit to target a vulnerability in Windows. However, what made headlines was the payload, a Remote Access Trojan called Gh0st (Gh0stRAT), a relative of the Poison Ivy trojan. At least 48 companies were believed to have been targeted in the Nitro attacks.

According to Alienvault, the spear phishing campaign currently targeting Tibetan activist organizations is focusing the Kalachakra Initiation, which is a Tibetan religious festival that took place in early January. In addition, the malicious payload being delivered in this latest attack is a variant of Gh0stRAT, which exploits a known Office vulnerability.

Moreover, the attack leverages a digitally signed payload, including a VeriSign certificate that was revoked in December. The attack also uses obfuscation methods that help it avoid IDS appliances and other protective measures – including AV. Detections are still low when it comes to the email and payload.

“It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons,” wrote Jaime Blasco.

“It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”

The full report, including an overview of the technical details is here.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.