Subscribers to a Tibetan Government-in-Exile mailing list were targeted in a recent email-based phishing campaign designed to infect them with a remote access trojan.
Dubbed ExileRAT, the trojan is capable of gathering system information, retrieving and pushing files, and executing and ending various processes, according to a blog post from Cisco Systems' Talos division, whose researchers uncovered the cyber espionage operation.
An analysis of the campaign revealed ExileRAT shares a command-and-control infrastructure with LuckyCat, an older RAT attributed to a suspected Chinese APT group that goes by the same name. Historically, the LuckyCat trojan has been used to spy on pro-Tibetan activists and sympathizers via their Android and Windows devices.
In this instance, the researchers actually uncovered a new Android version of LuckyCat that, on top of its previously known functionality, can now remove files; execute apps; record audio; and steal contact information, SMS messages, calls and locations. Additionally, Talos believes it can modify the permissions of Tencent's WeChat chat application, allowing the attackers retrieve encryption keys and decrypt messages.
Otherwise known as the Central Tibetan Administration (CTA), the Tibetan Government-in-Exile seeks independence for Tibet, which is governed as an autonomous region within greater China. According to Talos, ExileRAT campaign leveraged the India-based organization's own mailing list in a scheme to spy on its subscribers by sending them a phony email purporting to be from the CTA.
The malicious actors somehow "modified the standard Reply-To header normally used by the CTA mailings so that any responses would be directed back to an email address belonging to the attackers," explains the Talos blog post, authored by researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz. CTA uses India-based DearMail as its based web-based email campaign management service, the report notes.
Attached to the email was a malicious PowerPoint slideshow file titled "Tibet-was-never-a-part-of-China.ppsx." The slideshow was actually a copy of a previously published PDF document that favors the so-called "Middle Way" approach to the ongoing political controversy surrounding China's claim on Tibet.
The body of the email itself claimed the attached document attachment was being distributed to commemorate the 60th anniversary of the Dalai Lama's exile. But opening the attachment would have triggered an exploit of CVE-2017-0199, a Microsoft Office arbitrary code execution vulnerability. This flaw enabled the attackers to deliver a JavaScript file that in turn would ultimately download ExileRAT.
"This attack was yet another evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities," concludes the Talos report. "Having stopped this attack quickly, we hope that the disruption caused by Cisco Talos will ensure the adversary must regroup."
