Chinese spears attack Tibetan activists

A range of spearphishing attacks against Tibetan organisations has been detected.

According to investigate from security information and event management (SIEM) vendor AlienVault, the attacks are coming from China and signal a significant escalation into cyberwar from the 'cold war' that has existed between the 2 countries because the occupation by the Chinese army in 1950.

The company claimed that the attacks were targeted at Tibetan activist organisations including the Central Tibet Administration and International Campaign for Tibet.

It said that it believed that these attacks originate from an analogous group of Chinese hackers that launched the ‘Nitro' attacks against chemical and defence companies late last year, and were geared toward both spying on and stealing sensitive details about these organisations' activities and supporters.

Beginning with a spearphishing message, which included information at the Tibetan religious festival ‘Kalachakra Initiation', it featured a PDF that exploited a known vulnerability in Microsoft. Further investigation discovered that the malware was a variant of Gh0st RAT (a remote-access Trojan) that allows anything from stealing documents to turning on a victim's computer microphone.

This was also a main tool utilized in the Nitro attacks last year, and the variant AlienVault uncovered in these attacks appear to come from an analogous actors.

The malware was digitally signed to provide it one more layer of authenticity, although the certificate was revoked by VeriSign on 12 December 2011.

Jaime Blasco, head of labs at AlienVault, said "The spearphishing emails aren't that sophisticated and have a Microsoft .doc attachment that exploits a known Office stack overflow vulnerability dating back to last September, which has since been patched by Microsoft.”

He also said that this attack uses command-and-control servers to permit cyber criminals to realize handheld remote control of infected machines in addition to allow them to change the structure and purpose of the malware program code remotely.

This allows the attacker to remotely adapt the infection in line with changing circumstances, inclusive of updates to anti-virus software. VirusTotal found thon these obfuscation steps meant the infection was detected by just two anti-virus vendors at the time of the attacks.

The company previously detected Chinese attacks against US government agencies, including the united states Department of Defense, which used a brand new strain of the Sykipot malware to compromise smartcards.