APT actors targeted Tibetan nongovernmental organizations (NGOs) in recent attacks surrounding the G20 2014 summit in Brisbane, Australia.
ESET researchers identified a Gh0st RAT sample that, they said, had a low number of detections among their users. This RAT has previously been used by various threat actors, in both targeted campaigns and crimeware-like operations.
In this specific attack, victims received an email as part of a spear phishing scheme. The email, supposedly from “Tibet Press,” invited recipients to a “rally for Tibet” and had a Word document attached, which victims presumed would provide more details. Instead, the document exploited CVE-2012-0158, which could allow Gh0st RAT to be installed.
Once the document was opened, the RAT would try to connect to mailindia.imbss.in or godson355.vicp.cc.
The email was allegedly sent to the European Central Tibetan Administration.