Chinese Trojans Gh0stRAT used to attack pro-Tibet organisations

Chinese Trojans Gh0stRAT used to attack pro-Tibet organisations

AlienVault has discovered a range of spear phishing attacks taking place against a number of Tibetan organizations apparently from Chinese attackers. The security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year and and signal a serious escalation into cyberwar from the ‘cold war’ that has existed between the two countries since the occupation by the Chinese army in 1950.

The new attack uses a malicious Word attachment sent by email to organisations including the Central Tibet Administration and International Campaign for Tibet using English-language subject lines promoting a Tibetan religious festival. The attacks were given the name Nitro, and they leveraged Phishing and a PDF exploit to target a vulnerability in Windows (CVE-2010-3333).

The malicious payload being delivered in this latest attack is a variant of Gh0stRAT, which exploits a known Office vulnerability. “It is no surprise that Tibetan organisations are being targeted they have been for years and we continue to see Chinese actors breaking into numerous organisations with impunity,” said Alien Vault’s Jaime Blasco. The malware was digitally signed to give it an extra layer of authenticity, although the certificate was revoked by VeriSign on 12 December 2011.

The malware code methodology isn’t particularly sophisticated and uses particular techniques in order to hide from anti-virus software but specifically targets other anti-virus software. He also said that this attack uses command-and-control servers to allow cyber criminals to gain remote control of infected machines as well as let them change the structure and purpose of the malware program code remotely.