Spy malware buried on official Tibetan website

Share this article:
Researchers have identified a new "watering hole" APT attack.
Researchers have identified a new "watering hole" APT attack.

Chinese-speaking individuals visiting the website for the Central Tibetan Administration are being targeted with a Java exploit that installs advanced malware on their machines.

According to researchers at security firm Kaspersky Lab, the official site for the Tibetan government-in-exile, led by the Dalai Lama, was seeded with a backdoor that takes advantage of a vulnerability in Java, CVE-2012-4681, which was fixed by Oracle roughly a year ago.

The incident bears the signature of a watering hole attack, in which espionage malware is planted on a legitimate site, and then the attackers wait for their desired victims to visit and take the bait.

"The attack itself is precisely targeted," Kurt Baumgartner, principal security researcher at Kaspersky Lab, wrote in a blog post on Monday. "[A]n appended, embedded IFRAME redirects visitors to a Java exploit that maintains a backdoor payload."

Researchers said the attackers have employed certain tricks in this campaign, including functionality that allows them to download the payload in an encrypted format.

Tibetan activists have been targeted in the past by sophisticated malware, including trojans written for Mac OS X, some of which date back to 2008.

"This threat actor has been quietly operating these sorts of watering-hole attacks for at least a couple of years and also the standard spear phishing campaigns against a variety of targets that include Tibetan groups," Baumgartner said.

The English and Tibetan language versions of the site were not affected. It's unclear who is responsible for the attack, but China has been fingered as the culprit in the past.

Share this article:

Sign up to our newsletters

More in News

New VOICE website a resource tool for cyber crime victims

A new website created to aid consumers in quickly reporting cyber crime is now available.

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.