Targeted Attacks Against Tibet Using MS Office Exploit to Deliver “Mac Control” RAT

Not long ago, researchers from AlienVault Labs had discovered a spear phishing attack targeting several organizations in Central Tibet. The attacks have since continued, and are now shifting to targeting a wider set of activists, including those using Mac OS.

Towards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters.

The attacks were given the name Nitro. However, what made headlines was the payload, a Remote Access Trojan (RAT) called Gh0st (Gh0stRAT), a relative of the Poison Ivy Trojan. At least 48 companies were believed to have been targeted in the Nitro attacks. According to AlienVault, the spear phishing campaign currently targeting Tibetan activists and supporting organizations is leveraging a new variant of Gh0stRAT, as well as another RAT that focuses on systems running Mac OS X.

“Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that deliver them. The group behind these attacks is the same we have been tracking for a while,” explained AlienVault Labs manager, Jaime Blasco.

“When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file.”

The Trojan, named “Mac Control” by its authors, executes when the system starts, and will established a connection to the C&C in order to wait for commands. Investigation into the malware itself shows it has the ability to allow remote shells, as well as the ability to send, receive, and delete files.

Several samples of the malware were discovered, though none of them were detected by the major security vendors when submitted for analysis.