Spy malware buried on official Tibetan website

Share this article:
Researchers have identified a new "watering hole" APT attack.
Researchers have identified a new "watering hole" APT attack.

Chinese-speaking individuals visiting the website for the Central Tibetan Administration are being targeted with a Java exploit that installs advanced malware on their machines.

According to researchers at security firm Kaspersky Lab, the official site for the Tibetan government-in-exile, led by the Dalai Lama, was seeded with a backdoor that takes advantage of a vulnerability in Java, CVE-2012-4681, which was fixed by Oracle roughly a year ago.

The incident bears the signature of a watering hole attack, in which espionage malware is planted on a legitimate site, and then the attackers wait for their desired victims to visit and take the bait.

"The attack itself is precisely targeted," Kurt Baumgartner, principal security researcher at Kaspersky Lab, wrote in a blog post on Monday. "[A]n appended, embedded IFRAME redirects visitors to a Java exploit that maintains a backdoor payload."

Researchers said the attackers have employed certain tricks in this campaign, including functionality that allows them to download the payload in an encrypted format.

Tibetan activists have been targeted in the past by sophisticated malware, including trojans written for Mac OS X, some of which date back to 2008.

"This threat actor has been quietly operating these sorts of watering-hole attacks for at least a couple of years and also the standard spear phishing campaigns against a variety of targets that include Tibetan groups," Baumgartner said.

The English and Tibetan language versions of the site were not affected. It's unclear who is responsible for the attack, but China has been fingered as the culprit in the past.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.