Attackers targeting Tibetan freedom supporters aren’t holding back when it comes to using all avenues to infect activists with malware. In a relatively short amount of time, we’ve seen Tibetan nationals in China and in exile around the world targeted with spear phishing campaigns, watering hole attacks, hacks against Android mobile devices and now the latest vector: social media sites.
A rogue Twitter account was registered and on Feb. 27 sent three tweets to different leaders of the free Tibet movement, each with a message appealing to the target to click on embedded link and land on a malware-laden site.
Researchers at Cyber Squared, an Arlington, Va.-based security company, published their findings this week. The links in the tweets, analyst Wes Hurd wrote, led to a Tibet WordPress blog and a Chinese-language forum; both served up Adobe Flash exploits used in the past to attack aerospace companies as well as an online payroll provider. Hurd said his company informed Twitter of the account (@ hahadaxiao1) and of the targeted attacks. Cyber Squared did not reveal the targets, identifying them only as an individual affiliated with a Tibetan independence movement and two Chinese language accounts affiliated with political activism.
“All of the tweet recipients share characteristics that would be of interest for Chinese government sponsored cyber espionage actors, and are related to entities that are known targets of Chinese APT,” Hurd wrote.
Two of the tweets were written in Chinese language characters, while the third referenced news of a self-immolation in Tibet. This is not the first case of social engineering targeting Tibetan activists around the topic. Citizen Lab, which recently reported the discovery Android malware targeting Tibetans and reporting their physical locations to the attackers, warned people in the movement of the increased use of this tactic by the Chinese government to infect computers with espionage malware.
Self-immolation is a form of protest adopted by exiled Tibetans to call attention to the oppressive policies of the Chinese government, people in the movement said. Citizen Lab said the Chinese government has labeled the protesters radicals, even terrorists. The government said the practice is orchestrated by the exiled Dalai Lama. In addition to stepping up police presence and putting further controls on Internet access, Citizen Lab said the Chinese have ramped up targeted malware attacks against Tibetan freedom advocates since late 2011, in particular spear phishing campaigns using self-immolation as a theme in subject lines and malicious files attached to the messages.
This is likely one of the first times social networking sites have been used to target activists, Hurd said.
As for the exploits used in this attack, the link sent to the Chinese blog and Chinese activism account connected to a forum at dwnews[.]com hosting a malicious Flash SWF exploit, CVE-2013-0634. The vulnerability was patched in an emergency Adobe update released Feb. 8. Adobe said the attacks were limited at the time to Firefox or Safari users, and could also be delivered via Word documents.
The second link used in the Twitter-based attack tried to lure the victim to a WordPress blog hosting a full list of self-immolations at nyamdel[.]com. That site too hosted a malicious SWF exploit targeting CVE-2013-0634, as well as a second exploit hosted on a page frequented by Uyghur supporters, another frequent target.
The payloads pushed by the exploits includes a .dll file that drops two executables, Hurd said, seccenter[.]xxx and ~uz[random][.]tmp, a new remote access Trojan that operates over HTTP calling out to a command and control infrastructure from where additional malicious plug-ins can be installed and information stolen from the infected computer is sent. Hurd said the malware has persistence on the machine and can be customized by the attacker to install more malware or avoid detection by security software.
“While social networking sites have their benefits, it is important to consider how they can also enable a focused threat actor to sneak targeted attacks into an enterprise without using traditional email spear-phishing techniques,” Hurd said. “Often sophisticated threat groups will not discriminate between their target’s personal and professional profiles, which may subsequently introduce additional risks to enterprise networks.”
