Tibetan activists, diaspora hit by resurfacing malware in cyberespionage operation
The Tibetan diaspora has once again fallen victim to a sophisticated malware campaign similar to one detected in 2016, reports Citizen Lab after receiving the infected files from one of the targets â€“ a Tibetan NGO.
It appears the campaign was activated between January and March 2018 and bears a lot of similarity with another malware campaign that happened in 2016, both allegedly part of the Tropic Trooper campaign, when hackers targeted the governments of Taiwan and the Philippines.
“The Resurfaced Campaign used different exploits and payloads than the Parliamentary Campaign but shares other connections,” reads the report. “The two campaigns used similar spear phishing messages and both targeted Tibetan parliamentarians. One of the e-mail addresses used to send spear phishing messages in the Resurfaced Campaign (tibetanparliarnent[@]yahoo.com) was also used repeatedly during the Parliamentary Campaign.”
Malicious campaigns have so far targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile and the Central Tibetan Administration, as part of a large-scale cyberespionage operation. Researchers believe the same hacker group could be behind all the campaigns on the Tibetan diaspora, which has been highly targeted in the past ten years.
The Tibetan activist who received the infected files was suspicious from the get-go as this wasn”t the first time such an attempt was made. Even though the email seemed legitimate, it contained a Power Point presentation and a text file.
Once analyzed by Citizen Lab, they concluded the two were indeed infected with malicious code meant to infect Windows computers. In comparison with the previous campaign which relied on targeted malware, known exploits and basic Remote Access Trojans, the 2018 campaign relied more on social engineering schemes to trick the victims into opening the corrupted files and steal credentials through phishing attempts.
“The campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages,” writes Citizen Lab. “The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.”
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
Mobile security threats: reality or myth?
June 13, 2021
FOLLOW US ON
You might also like
July 23, 2021
July 22, 2021
July 20, 2021