Delaware, USA – February 7, 2019 – A harmful PPSX document was delivered in terms of the recent malware campaign under the pretense on Central Tibetan Administration and targeting their subscribers’ mailing list, Talos’ security research team reports. The new ExileRAT campaign uses old features like information stealing and uploading and downloading the files but also added some new tricks like audio recording, stealing personal contact information and app execution. The attached document uses Office CVE-2017-0199 exploit for remote code execution, as well as C&C server which was used for recurrent attacks. ExileRAT trojan enables the attackers to remotely transfer the files, read out the victims’ system information and control the processes. After downloading the payload from the C&C server, the ExileRAT creates a scheduled task striving to look legitimate. The IP of the C&C server was also used for several domains masquerading as Google services.
The same C&C server is also leveraged for distribution of the newer version of LuckyCat Android RAT that gives the attackers access to the victim’s SMS, recent calls and location exfiltrating data and encryption keys of WeChat App. It is likely to be another political campaign against the Tibetan government in exile, the researchers state based on the found evidence and the target. At the end of 2018, APT groups allegedly related to the Chinese government began to сщтвгсе significantly more operations (1, 2, 3). Most attacks target Windows systems, so it is crucial to timely uncover the deviations from regular activity in your infrastructure. You can use Windows Security Monitor rule pack to perform statistical analysis and profiling of basic security events and spot suspicious activity: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight