Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Gh0stRAT Variant Used in Targeted Attacks Against Organizations in Tibet

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Gh0stRAT Variant used in Targeted Attacks Against Organizations in TibetTowards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters. The attacks were given the name Nitro, and they leveraged Phishing and a PDF exploit to target a vulnerability in Windows. However, what made headlines was the payload, a Remote Access Trojan called Gh0st (Gh0stRAT), a relative of the Poison Ivy trojan. At least 48 companies were believed to have been targeted in the Nitro attacks.

According to Alienvault, the spear phishing campaign currently targeting Tibetan activist organizations is focusing the Kalachakra Initiation, which is a Tibetan religious festival that took place in early January. In addition, the malicious payload being delivered in this latest attack is a variant of Gh0stRAT, which exploits a known Office vulnerability.

Moreover, the attack leverages a digitally signed payload, including a VeriSign certificate that was revoked in December. The attack also uses obfuscation methods that help it avoid IDS appliances and other protective measures – including AV. Detections are still low when it comes to the email and payload.

“It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons,” wrote Jaime Blasco.

“It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”

The full report, including an overview of the technical details is here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.