Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Targeted Attacks Against Tibet Using MS Office Exploit to Deliver “Mac Control” RAT

Not long ago, researchers from AlienVault Labs had discovered a spear phishing attack targeting several organizations in Central Tibet. The attacks have since continued, and are now shifting to targeting a wider set of activists, including those using Mac OS.

Not long ago, researchers from AlienVault Labs had discovered a spear phishing attack targeting several organizations in Central Tibet. The attacks have since continued, and are now shifting to targeting a wider set of activists, including those using Mac OS.

Towards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters.

The attacks were given the name Nitro. However, what made headlines was the payload, a Remote Access Trojan (RAT) called Gh0st (Gh0stRAT), a relative of the Poison Ivy Trojan. At least 48 companies were believed to have been targeted in the Nitro attacks. According to AlienVault, the spear phishing campaign currently targeting Tibetan activists and supporting organizations is leveraging a new variant of Gh0stRAT, as well as another RAT that focuses on systems running Mac OS X.

“Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that deliver them. The group behind these attacks is the same we have been tracking for a while,” explained AlienVault Labs manager, Jaime Blasco.

“When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file.”

The Trojan, named “Mac Control” by its authors, executes when the system starts, and will established a connection to the C&C in order to wait for commands. Investigation into the malware itself shows it has the ability to allow remote shells, as well as the ability to send, receive, and delete files.

Several samples of the malware were discovered, though none of them were detected by the major security vendors when submitted for analysis.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...