Tibetan activists, diaspora hit by resurfacing malware in cyberespionage operation

The Tibetan diaspora has once again fallen victim to a sophisticated malware campaign similar to one detected in 2016, reports Citizen Lab after receiving the infected files from one of the targets – a Tibetan NGO.

It appears the campaign was activated between January and March 2018 and bears a lot of similarity with another malware campaign that happened in 2016, both allegedly part of the Tropic Trooper campaign, when hackers targeted the governments of Taiwan and the Philippines.

“The Resurfaced Campaign used different exploits and payloads than the Parliamentary Campaign but shares other connections,” reads the report. “The two campaigns used similar spear phishing messages and both targeted Tibetan parliamentarians. One of the e-mail addresses used to send spear phishing messages in the Resurfaced Campaign (tibetanparliarnent[@]yahoo.com) was also used repeatedly during the Parliamentary Campaign.”

Malicious campaigns have so far targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile and the Central Tibetan Administration, as part of a large-scale cyberespionage operation. Researchers believe the same hacker group could be behind all the campaigns on the Tibetan diaspora, which has been highly targeted in the past ten years.

The Tibetan activist who received the infected files was suspicious from the get-go as this wasn’t the first time such an attempt was made. Even though the email seemed legitimate, it contained a Power Point presentation and a text file.

Once analyzed by Citizen Lab, they concluded the two were indeed infected with malicious code meant to infect Windows computers. In comparison with the previous campaign which relied on targeted malware, known exploits and basic Remote Access Trojans, the 2018 campaign relied more on social engineering schemes to trick the victims into opening the corrupted files and steal credentials through phishing attempts.

“The campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages,” writes Citizen Lab. “The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.”

Leave a Reply