Spy Campaign Spams Pro-Tibet Group With ExileRAT

Referencing the Dalai Lama, the spam campaign is targeting recipients of a mailing list run by the Central Tibetan Administration.

A cyber-espionage campaign has been spotted targeting recipients of a mailing list run by the Central Tibetan Administration (CTA).

India’s CTA is an organization officially representing the Tibetan government-in-exile. The territory of Tibet is administered by the People’s Republic of China – but the CTA considers that an illegitimate military occupation. The CTA instead believes that Tibet is a distinct independent nation.

Researchers with Cisco Talos recently discovered emails spamming subscribers on the CTA’s mailing list. The emails, which purport to be from the CTA, said they were commemorating the upcoming 60th anniversary of the Dalai Lama’s exile on March 31 with an attached Microsoft PowerPoint document titled “Tibet Was Never A Part of China.”

CTA malware campaign

Click to Expand.

However, the attachment is actually a malicious PPSX file used as a dropper to allow an attacker to execute various JavaScript scripts and eventually download a payload onto the victims’ systems. That payload, a remote access trojan (RAT) called ExileRAT, scoops up their computer’s information.

“Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain,” researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz said in a Monday analysis. “This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.”

Researchers told Threatpost that they had no further information for now regarding the bad actor behind this campaign.

Craig Williams, director of outreach for Cisco Talos, told Threatpost that the firm observed the first sample from the campaign on Jan. 30.

While it is unknown how many are on the CTA’s mailing list, it appears everyone on the mailing list received the email.

The mailing list’s infrastructure is run by India-based DearMail. Researchers said that attackers modified the standard “Reply-To” header so that any responses would be directed back to an email address belonging to the bad actors (mediabureauin [at] gmail.com).

The email message is entitled “Tibet-was-never-a-part-of-China.”

CTA malware campaign

Click to Expand.

Researchers said the email message contained a malicious PPSX file attachment meant to attack subscribers of the CTA mailing list. PPSX is a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document.

The attached document is a large slide show (made up of over 240 slides). Interestingly, the document is actually a copy of a legitimate PDF available for download from the CTA’s tibet.net homepage, researchers said.

“The slideshow’s file name, ‘Tibet-was-never-a-part-of-China,’ is identical to a legitimate PDF published Nov. 1, 2018, which demonstrates the attacker moved quickly to abuse this,” they said.

This attack exploits CVE-2017-0199, a high-severity vulnerability in Microsoft Office, which allows remote attackers to execute arbitrary code via a crafted document. Once downloaded, the malicious PPSX file then executes a Javascript that’s responsible for downloading the payload, ExileRAT, (“syshost.exe”) from the command and control server (C2).

ExileRAT is capable of siphoning information on the system (computer name, username, listing drives, network adapter, process name), pushing files and executing or terminating processes.

Interestingly, the infrastructure used for the C2 in the campaign was previously linked to the LuckyCat Android RAT, and researchers found that the C2 domain featured an Android RAT created on Jan. 3. It’s important to note that LuckyCat was not used in the spam campaign attack from the CTA mailer – it simply shared a C2.

The LuckyCat Android RAT was used in 2012 against Tibetan activists, in a campaign targeting pro-Tibetan sympathizers, researchers said.

“This newer [Jan. 3] version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing,” said Cisco’s researchers.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.