Wednesday, October 21, 05:56
Home security A spy campaign targets the Pro-Tibet Group with ExileRAT

A spy campaign targets the Pro-Tibet Group with ExileRAT

ExileRATAn espionage campaign at Internet has been identified to target subscribers to the mailing list, owned by the Central Command of Tibet (CTA).

The CTA of India is an organization officially representing the Tibetan exile government. The territory of Tibet is governed by the People's Republic of China - but the CTA regards it as an illegal military occupation. CTA believes Tibet is a separate independent nation.

Researchers with Cisco Talos recently discovered, in the CTA mailing list, spam emails that had been sent to subscribers. The emails, allegedly sourced from the CTA, said they were celebrating the upcoming 60 orth anniversary of the Dalai Lama's exile on March 31 with an attached Power Point document titled "Tibet was never part of China."

However, the attached file is actually a malicious PPSX file, used as a dropper to allow an attacker to execute various JavaScript scripts and eventually download a payload to the victims' systems. This payload is essentially a remote access trojan (RAT) called ExileRAT and steals computer information.

"Given the nature of this malware and its objectives, it is likely designed for espionage and not for financial gain," said researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz. "This is just one part of a continuing trend of national agencies working to spy on citizens for political reasons."

The researchers told Threatpost that so far they have no information on who is behind this campaign.

Method of contamination

Craig Williams, Cisco Talos Social Activity Manager, told Threatpost that the company noticed the first sample of the campaign at 30 in January.

Although the number of people in the CTA mailing list is not known, it appears that all those who have received the email.

The mailing list infrastructure is run by DearMail, based in India. Investigators said the attackers modified the typical "Reply-To" header so that the responses could be directed back to a hacker-owned email address (mediabureauin [at]

The email is called "The-Tibet-was-never-been-part of China".

Researchers said the email contained a malicious PPSX attachment, which was intended to attack CTA mailing list subscribers. PPSX is a file format used to deliver an unprocessed slide view, derived from a Microsoft PowerPoint document.

The attached document is a large set of slides (consisting of over 240 slides). Interestingly, the document is actually a copy of a legitimate PDF file that is available for download from CTA's homepage, according to researchers.

This attack exploits CVE-2017-0199, a very serious vulnerability in Microsoft Office, which allows remote intruders to execute arbitrary code through a processed document. Once downloaded, the malicious PPSX file executes a Javascript responsible for downloading the payload, ExileRAT (“syshost.exe”), from the command and control server (C2).

ExileRAT is capable of transferring information about the system (computer name, username, drives, network adapter, process name) by performing or terminating procedures.

Connect to LuckyCat RAT

Interestingly, the infrastructure used for C2 was previously linked to the LuckyCat Android RAT. LuckyCat Android RAT used 2012 against Tibetan activists.

“The newest version [Jan. 3] includes the same features as the 2012 version (file uploading, downloading, information theft and remote deletion) but adds many new features such as file removal, application execution, audio recording, personal contacts, SMS theft, location theft ”, Cisco researchers reported.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


Google removes two ad blockers that collect user data

Google removed two ad blocker extensions from the official Chrome Web Store over the weekend after realizing that they were stealing ...

Two out of five employees are not sure what phishing is

The COVID-19 pandemic posed a significant challenge for businesses around the world, as the dispersed workforce seems to be ...

Hackers disguise themselves as McAfee staff and deceive users

According to Google, hackers backed by the Chinese government were disguised as McAfee employees to trick users into ...

How to find products sold by Amazon itself

Amazon acts as an intermediary in the sale of millions of goods by thousands of sellers around the world. The quality of these products varies ....

How to stop the automatic switching of AirPods between iPhone and iPad

AirPods and AirPods Pro automatically switch between iPhone and iPad. If you turn off the iPad and start a call on your iPhone, ...

The Windows 10 KB4579311 update has an installation problem

Windows 10 users face many problems when installing the latest cumulative update KB4579311 and those who can ...

The big "Twitter hack" was the result of employee fraud

The biggest Twitter hack that has become known to date, was the one that took place last July and resulted in ...

Gang ransomware donates part of ransom to charities

The Darkside ransomware gang has donated 10 thousand dollars from the ransom it has collected from its victims to Children International ...

FinCEN fines $ 60 million companies for bitcoin money laundering

The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) today announced the first sentence against cryptocurrency services, Helix and ...

US: accuse Russians of global attacks

Six Russian agents have been indicted by the US Department of Justice for attacks related to the Winter Olympics in Pyeongchang, ...