Tibetan Communities Under Targeted Attacks
Various targeted cyber attacks have been taking place recently. The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within one of the Tibet communities. In some cases, messages have also been distributed to mailing lists. These messages however contain malicious attachments. These are either CHM Help files with embedded objects, Acrobat Reader PDF files with exploits, Microsoft Office exploits, LHA files exploiting vulnerabilities in WinRAR, exploitation of an ActiveX component through an attached HTML file.
Here’s a sample attachment and its current AV:
File name: reports_of_violence_in_tibet.ppt
MD5: 977a4ac91acf5d88044a68f828154155
AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen
Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590
BitDefender 7.2 2008.03.20 Exploit.PPT.Gen
F-Prot 4.4.2.54 2008.03.19 File is damaged
NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI
Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen
At this moment, Antivirus vendors are not proving effective against the samples distributed in this ongoing attack. Often there are similar samples returning, just slightly edited to prevent them from being picked up. Most of the time, the samples then drop very raw trojans that are not restricted much in ability. This means that just investigating the trojan does not always reveal the target data. When investigating such attack, it’s actually necessary to find out which commands were submitted to discover what data was actually targeted. So far, there are attacks that specifically searched the file system for Word documents, e-mail contents and PGP keyrings.
It seems the attacks are targeted against proesting Tibet communities. These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.