Pro-Tibetan activists become victim of Spear Phishing
The Hacker News

Hackers are ramping up their attacks against Tibetan activists and are using increasingly sophisticated techniques to deliver malware An interesting example of such a malicious email has recently been spotted by FireEye researcher Alex Lanstein, who is currently monitoring these spam campaigns.

In the last few of months, several security vendors have reported targeted attacks that distributed malware designed to steal confidential information from people or organizations supporting the Tibetan cause. This tactic recently re-surfaced during our monitoring of Tibetan-leveraging malware campaigns. It came in the form of BKDR_RILER.SVR, a backdoor that arrives infected by PE_SALITY.AC.

A simple Spear Phishing technique was used recently to trick Tibetan activists into opening malicious PDF email attachments, by quoting a legitimate email message sent by FireEye's Lanstein to people who submitted Tibet-related malware samples to the VirusTotal online antivirus scanning service.

According to Trend Micro researcher Ivan Macalintal, by exploiting a vulnerability, the attachment - Next Generation Threats.pdf - drops a malicious JavaScript that in its turn drops a RAT that connects to a IP address located in China. There are a few hints that the people behind the attack are Chinese. The email text was recreated under a key official character set of the People's Republic of China, and in the footer of the decoy PDF file a few Chinese characters can be found.

The said backdoor communicates the following information to the IP address about IM IDs and password, List of drives and files, User account names and passwords.

The social engineering techniques used in these attacks are increasingly sophisticated and the distributed malware is capable of infecting both Windows and Mac OS X computers. On Friday, researchers from antivirus firm Kaspersky Lab reported the discovery of a new Mac OS X backdoor which they named SabPub.

Tibetan activists are on a long hit list uncovered by Trend Micro and dubbed the Luckycat campaign it uses spear-phishing to inject Windows malware, and targets military and other sensitive entities in India and Japan as well as Tibetan activists.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.