An espionage campaign at Internet has been identified to target subscribers to the mailing list, owned by the Central Command of Tibet (CTA).
The CTA of India is an organization officially representing the Tibetan exile government. The territory of Tibet is governed by the People's Republic of China - but the CTA regards it as an illegal military occupation. CTA believes Tibet is a separate independent nation.
Researchers with Cisco Talos recently discovered, in the CTA mailing list, spam emails that had been sent to subscribers. The emails, allegedly sourced from the CTA, said they were celebrating the upcoming 60 orth anniversary of the Dalai Lama's exile on March 31 with an attached Power Point document titled "Tibet was never part of China."
"Given the nature of this malware and its objectives, it is likely designed for espionage and not for financial gain," said researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz. "This is just one part of a continuing trend of national agencies working to spy on citizens for political reasons."
The researchers told Threatpost that so far they have no information on who is behind this campaign.
Method of contamination
Craig Williams, Cisco Talos Social Activity Manager, told Threatpost that the company noticed the first sample of the campaign at 30 in January.
Although the number of people in the CTA mailing list is not known, it appears that all those who have received the email.
The mailing list infrastructure is run by DearMail, based in India. Investigators said the attackers modified the typical "Reply-To" header so that the responses could be directed back to a hacker-owned email address (mediabureauin [at] gmail.com).
The email is called "The-Tibet-was-never-been-part of China".
Researchers said the email contained a malicious PPSX attachment, which was intended to attack CTA mailing list subscribers. PPSX is a file format used to deliver an unprocessed slide view, derived from a Microsoft PowerPoint document.
The attached document is a large set of slides (consisting of over 240 slides). Interestingly, the document is actually a copy of a legitimate PDF file that is available for download from CTA's tibet.net homepage, according to researchers.
ExileRAT is capable of transferring information about the system (computer name, username, drives, network adapter, process name) by performing or terminating procedures.
Connect to LuckyCat RAT
Interestingly, the infrastructure used for C2 was previously linked to the LuckyCat Android RAT. LuckyCat Android RAT used 2012 against Tibetan activists.
“The newest version [Jan. 3] includes the same features as the 2012 version (file uploading, downloading, information theft and remote deletion) but adds many new features such as file removal, application execution, audio recording, personal contacts, SMS theft, location theft ”, Cisco researchers reported.