Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.
According to Alienvault, the spear phishing campaign currently targeting Tibetan activist organizations is focusing the Kalachakra Initiation, which is a Tibetan religious festival that took place in early January. In addition, the malicious payload being delivered in this latest attack is a variant of Gh0stRAT, which exploits a known Office vulnerability.
Moreover, the attack leverages a digitally signed payload, including a VeriSign certificate that was revoked in December. The attack also uses obfuscation methods that help it avoid IDS appliances and other protective measures – including AV. Detections are still low when it comes to the email and payload.
“It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons,” wrote Jaime Blasco.
“It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”
The full report, including an overview of the technical details is here.