G20 targeted as malware authors hone in on Tibet activists

Coverage of the recent G20 Summit included many images of protestors arguing the cause of a free Tibet, but the event also saw cybercriminals weighing in on the Tibet issue as they targeted G20 protestors with customised malware coincidental to the high-profile event.

ESET malware researchers uncovered one of the malware strains timed to coincide with the event, with the off-the-shelf Gh0st RAT strain targeted at Tibet-related non-government organisations.

The strain was distributed as an email publicising a rally organised by the Australian Tibetan Community Association (ATCA) and including a malware-laden file attachment called A_Solution_for_Tibet.doc.

Once opened, the attachment exploited the CVE-2012-0158 vulnerability – an old exploit that is still frequently used by spear phishers. The malware installs Gh0st RAT and then tries to connect to two domains, mailindia.imbss.in and godson355.vicp.cc.

The text was real, taken from the Australian Tibetan Council web site, and was allegedly sent to the European Central Tibetan Administration, ESET's analysts said.

“NGO members with a political, religious or environmental agenda have been targeted in the past and will most likely continue to undergo continuous attacks in the future,” the ESET analysis warns.”

“In the light of constant attacks against them, they should definitely be as cautious as one can be when these types of emails are received, especially when popular themes or news events are used as a lure.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabmalwarenon-government organisationsG20Gh0st RATCSO AustraliaNGO membersG20 SummitATCACVE-2012-0158 vulnerabilityTibet activistscustomised malwareESET malware

Show Comments