New ExileRAT backdoor used in attacks aimed at users in Tibet

Pierluigi Paganini February 06, 2019

A malware campaign using new LuckyCat-Linked RAT dubbed
ExileRAT has been targeting the mailing list of the organization officially representing the Tibetan government-in-exile.

Security experts at Talos group have uncovered a malware campaign using the ExileRAT backdoor to target the mailing list of the organization officially representing the Tibetan government-in-exile.

Threat actors are delivering the malware via a weaponized Microsoft PowerPoint document, the messages are reaching people in a mailing list run by the Central Tibetan Administration (CTA).

ExileRAT campaign

The nature of malware and the targets suggests the involvement of nationstate actor carrying out a cyber espionage campaign.

Given the nature of the threat and the targets, the campaign was likely designed for espionage purposes, Talos’ security researchers say. 

The bait PowerPoint document is a copy of a legitimate PDF available on CTA’s website, it was sent by attackers to all subscribers to the CTA mailing list,

“Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.” reads the analysis published by Talos.

“The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document.”

The experts received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” the researchers noticed that the standard Reply-To header used by the CTA mailings was modified to redirect responses to an email address (mediabureauin [at] gmail.com) controlled by the hackers.

The weaponized documents exploit the CVE-2017-0199 flaw, a zero-day
arbitrary code execution vulnerability fixed by Microsoft in April 2017 and that has been actively exploited in attacks in the wild.

The exploit code used by the attackers originated from a public script available on GitHub, researchers noticed that the PPSX also attempts to contact iplocation to perform some geo-location lookups.  

It connects to the command and control (C&C) server to receive a JavaScript script responsible for downloading the final payload. 

The malicious code is executed via WScriptwhile  also utilizing cmd.exe to create a scheduled task called “Diagnostic_System_Host,” the name is
similar to the legitimate system task name “Diagnostic System Host” without the “_” (underscores).

The ExileRAT used in this campaign support commands to retrieve system information (i.e. computer name, username, listing drives, network adapter, and process names), exfiltrate data and and execute or terminate processes.

Talos pointed out that C2 infrastructure has been used in multiple campaigns, including attacks against Tibetan activists leveraging a newer version of the LuckyCat Android RAT.

“This newer version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing.” continues the report.

Experts conclude that this new campaign represents an “evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” Talos says. 

The good news is that attackers leveraged an old issue that could be easily detected by up-to-date defense systems. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Exilerat)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment