AlienVault has discovered a range of spear phishing attacks taking place against a number of Tibetan organizations, apparently from Chinese attackers. The attacks signal a serious escalation into cyberspace of the cold war that has existed between the two countries since the Chinese army marched into majority Tibetan territory back in 1950.


Jaime Blasco, head of labs with AlienVault, said "Our research suggests that the attacks we have been tracking over the last few months are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January".

"The spear phishing emails aren’t that sophisticated and feature a Microsoft dot-DOC attachment that exploits a known Office stack overflow vulnerability dating back to last September, which has since been patched by Microsoft," he added.

The malware code methodology isn’t particularly sophisticated and uses particular techniques in order to hide from anti-virus software but specifically targets other anti-virus software.

The malware is also digitally signed to give it an extra layer of authenticity - even though the certificate is valid as the root authority would not be present on the computer the malware infects.

The bad news is that the VirusTotal service - which provides free online checking of viruses on up to 44 IT security applications - shows that these obfuscation (hiding) steps mean the infection is detected by just two AV vendors at the time of the attacks.

Analyzing the attack methodology further reveals that the malware's Internet traffic - as it tries to communicate to a command-and-control server somewhere in China - flags up as a variation on the infamous Gh0st RAT (Remote Access Trojan), suggesting that the programming team behind this spread phishing attack really know their stuff.

The use of command-and-control servers, says Blasco, allows cybercriminals to gain remote control of the machines that the malware infects and, as we have seen with other complex malware, allow the structure and purpose of the malware program code to be changed remotely.

Put simply, this allows the cybercriminals to remotely adapt the infection in response to changing circumstances, such as AntiVirus software being updated to search specifically for the malware in question, so starting the entire cat-and-mouse detection process off once again.

“The nature of these spear phishing attacks is such that the fingerprints are similar to previous infection attacks which date back several years – and the Nitro Attacks we saw between April and November last year,” he said.

The Nitro Attacks were notable for their complexity and successful attacks on at least 100 major servers, using a backdoor malware known as Poison Ivy and other RATs (Remote Access Tools).