Followers and supporters of Tibetan Buddhist leader the Dalai Lama were the targets of an e-mail borne attack that used news of the spiritual leader’s birthday to trick recipients into installing a surreptitious monitoring program on their computers.
Researchers at Kaspersky Lab identified a number of e-mail messages sent to supporters of the Buddhist leader containing a Microsoft Word file attachment. When opened, the file exploits a recently discovered hole in Microsoft’s Common Controls and installs a downloader program that, in turn, installs variants of the Midhos family of Trojan horse programs on the infected system. The Midhos Trojan has played a part in earlier attacks on supporters of the Dalai Lama. And analysis of the malware by Kaspersky Lab shows that the command and control infrastructure used in the attacks is identical to that used by a Trojan program designed for Mac OS X systems and used in targeted attacks on the Tibetan Government in Exile.
The latest attacks were first identified on July 3 in the form of e-mail messages with the subject “Dalai Lama’s birthday on July 6 to be low-key affair.” The e-mail messages, sent to supporters, purport to offer details of plans to celebrate the 77th birthday of Tenzin Gyatso, the current Dalai Lama.
Much has been made, in recent months, of the Dalai Lama’s use of Apple products. That shift is possibly a response to the so-called GhostNet attacks against the Tibetan Government In Exile that date to 2009. However, those seeking access to the inner planning of the Dalai Lama and the Tibetan Government in Exile merely shifted to more sophisticated attacks, including Mac-based malware and attacks.
This isn’t the first time that the Tibetan Government in Exile and organizations supporting the Tibetan cause have been targeted. In 2009, researchers in Canada and the UK raised the alarm about a widespread and long standing espionage campaign, dubbed GhostNet, against governments, human rights organizations and others. Raiu said that, though the Dalai Lama may have shifted to Mac, many of his supporters continue to use Windows systems, necessitating targeted attacks against both platforms.