ESET - Malicious Email Campaign Exploits Just Concluded G20 Summit

ESET, a security firm, says that a fresh targeted attack has been using the just concluded G20 summit as a lure which was held at Brisbane, Australia (November 15-16, 2014).

ESET noted that Tibetan-based NGOs or [non-Governmental Organizations] are continuously being attacked especially with malware which using GH0stRAT Trojan, a remote access tool. In this incident, an identified sample had a very few detections but both the strikes were in China.

ESET said after a rapid analysis that they saw magic word employed in network communications by this example was "LURKO" instead of infamous "Gh0st" and added that this specific word has been employed against Tibet-based groups in the past.

The email requests its recipient to join a rally for Tibet at the G20 Brisbane summit. It says that Tibetans and its supporters in Australia and also internationally is calling on main Governments of world to take actions jointly to address the crisis of human rights in Tibet. Hence, like-minded Governments are requested to take a stand by their familiar democratic value and support Tibet.

This is classic spear phishing case and the malicious actor is trying to trick the Internaut into opening the tainted attachment with the help of a rally which is organized by the Australian Tibet Council. In fact, the text of the email was directly taken off their website.

Welivesecurity.com published news on 14th November, 2014 quoting ESET as saying that this email was mailed to the European Central Tibetan Administration.

After analysis, the word document named: "A_Solution_ for _Tibet.doc" is exploiting CVE-2012-0158 which is a very old flaw and still it is used by malicious criminals to hijack systems throughout the world. When clicked open, the malicious document will install the infamous Gh0st RAT on user's machine.

Obviously, once Gh0st RAT is installed, it connects to the Command and Control Centre enabling the operator to control that user's computer remotely which destroys the privacy of the protester leaving them completely vulnerable to spied upon, manipulation or other interference.

ESET observes that these kinds of attacks can be mitigated by avoiding opening email attachments from unknown sources and by installing updated software on computers.

» SPAMfighter News - 11/24/2014