APT Targeting Tibetans Packs Four Vulnerabilities in One Compromise

Tibetans along with journalists and human rights workers in Hong Kong and Taiwan have been targeted in campaigns using phishing emails laced with Microsoft RTF attachments that exploit four vulnerabilities.

Tibetans, journalists and human rights workers in Hong Kong and Taiwan have been targeted in an APT campaign that makes use of Microsoft Rich Text File (RTF) documents to compromise computers. Researchers say it’s a new strategy by attackers in an ongoing advanced persistent threat that dates back to 2009.

According to Arbor Networks, the RTF document-based attack uses four known vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770)  in one attachment. This is the first time, researchers say, that attackers associated with this APT have packed four vulnerabilities inside a single RTF document.

Once compromised, the vulnerabilities are being used to deliver malware payloads such as Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST, according to Arbor Networks, which published a report Monday of its findings (PDF).

Arbor Networks said attackers are borrowing a best-of-breed mix of past technology used in previous and related APT attacks against similar journalist and human rights targets. “What we have been able to do is update an ongoing APT and show how malware, techniques and spear phishing techniques have been refreshed for the present day,” said Curt Wilson, senior threat intelligence analyst at Arbor Networks, in an interview with Threatpost.

In the week preceding the January 2016 Taiwanese general election, human rights lawyers and Tibetan activists received a phishing email purporting to come from a human rights organization. The email included the subject line “US Congress sanctions $6 million fund for Tibetans in Nepal and India.” Attached was an RTF file that contained the four-pronged RTF file.

Anyone who opened the email attachment  was injected with the Grabber (aka EvilGrab) malware into their computer system’s ctfmon.exe process, Arbor Networks said. Grabber then triggered the download of a host of malicious software such as remote access Trojans, giving attackers access to the system and the ability to load additional malicious code.

Payloads varied from Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST just as the phishing email subject lines varied. “[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT,” read another subject line harboring an RTF file that ultimately infected systems with the Kivars Keylogger Payload.

Wilson said none of the payloads or exploits were new. He added, “Being able to draw a line from one APT to another is an extremely important step when it comes to fighting APTs and ideally – in this case – keeping those fighting for human rights out of jail.”

Wilson said the espionage campaign against journalists, activists and human rights advocates appears to be connected to an even broader set of targets and operations. Also on Monday, The Citizen Lab, part of the Munk School of Global Affairs, similarly published a report tracking advanced persistence threats targeting Hong Kong and Myanmar/Burman democracy activists.

Suggested articles