Gh0st RAT used in targeted attacks against Tibetan activists

APT actors trying to use the G20 2014 summit as a lure to compromise Tibetan nongovernmental organizations (NGOs) with Gh0st RAT.

Security experts at ESET uncovered a new series of cyber attacks that targeted Tibetan nongovernmental organizations (NGOs) concurrently with the G20 2014 summit in Brisbane, Australia.

The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized by a low detection rate. This RAT has previously been used by different threat actors in targeted attacks and also in cyber criminal campaigns.

“After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.” wrote ESET in a blog post.

The attack scheme is not different from other targeted attacks, threat actors sent spear phishing email to the victims, the messages, supposedly from “Tibet Press,” proposed to the victims the participation to a “rally for Tibet”. The email had a Word document attached that is used by attackers to exploit the CVE-2012-0158 and drop on the victims’ machine the Gh0st RAT.

Once the victims have opened the document, the Gh0st RAT would try to connect to the following two domains:

• mailindia.imbss.in
• godson355.vicp.cc

in addition, according to the experts the second domain has been used in targeted attacks in the past.

In time I’m writing the researchers to do not have information related to the nature of the actors behind the attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Gh0st RAT, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]