The Latest in IT Security

Another Tibetan-Themed Malware Email Campaign Targeting Windows and Macs


Just like what we have reported recently, we have spotted yet another targeted attack campaign that uses Pro-Tibetan sentiments as social engineering ploy for the attackers to infiltrate target systems. And yes, this is again targeting Windows and Mac systems.

It starts with the email below:

Users clicking on the link included in the email will be led to a site with a script that determines if the user is using a Windows or a Mac system.

The site is currently not resolving but we managed to get the code from Google’s cache:

The script will load a Java applet exploiting CVE-2011-3544, which is an unspecified vulnerability in the Java Runtime Environment component. The said Java applet is detected as JAVA_RHINO.AE. If exploitation is successful, either a SASFIS backdoor (BKDR_SASFIS.EVL) for Windows OS, or an OLYX backdoor (OSX_OLYX.EVL) for Mac OSX, will be installed in the system.

Both backdoors report back to the same C&C server. Moreover, both backdoors have functionalities that include features to allow them to upload and download files and navigate through files and directories in the affected system, providing them further means for their lateral movement and data exfiltration activities.

This reminds us of the previous blog post from our friends in MS about OLYX, which states that the backdoor code is similar to the Gh0St RAT code. This code is one of the favorite backdoor payloads used in advanced persistent campaigns that also target NGOs like Pro-Tibetan organizations.

It is also worth mentioning that we saw the same Command-and-Control server in both a recent Gh0st RAT attack and the targeted attack against Mac OSX users we recently blogged about.

We are continuing to monitor developments in this case and will post more information accordingly. Stay tuned.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments