Just like what we have reported recently, we have spotted yet another targeted attack campaign that uses Pro-Tibetan sentiments as social engineering ploy for the attackers to infiltrate target systems. And yes, this is again targeting Windows and Mac systems.
It starts with the email below:
The site is currently not resolving but we managed to get the code from Google’s cache:
Both backdoors report back to the same C&C server. Moreover, both backdoors have functionalities that include features to allow them to upload and download files and navigate through files and directories in the affected system, providing them further means for their lateral movement and data exfiltration activities.
This reminds us of the previous blog post from our friends in MS about OLYX, which states that the backdoor code is similar to the Gh0St RAT code. This code is one of the favorite backdoor payloads used in advanced persistent campaigns that also target NGOs like Pro-Tibetan organizations.
It is also worth mentioning that we saw the same Command-and-Control server in both a recent Gh0st RAT attack and the targeted attack against Mac OSX users we recently blogged about.
We are continuing to monitor developments in this case and will post more information accordingly. Stay tuned.
Leave a reply