U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Gh0st RAT used in targeted attacks against Tibetan activists

APT actors trying to use the G20 2014 summit as a lure to compromise Tibetan nongovernmental organizations (NGOs) with Gh0st RAT. Security experts at ESET uncovered a new series of cyber attacks that targeted Tibetan nongovernmental organizations (NGOs) concurrently with the G20 2014 summit in Brisbane, Australia. The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized […]

Gh0st RAT used in targeted attacks against Tibetan activists

APT actors trying to use the G20 2014 summit as a lure to compromise Tibetan nongovernmental organizations (NGOs) with Gh0st RAT.

Security experts at ESET uncovered a new series of cyber attacks that targeted Tibetan nongovernmental organizations (NGOs) concurrently with the G20 2014 summit in Brisbane, Australia.

The experts discovered that APTs behind the attacks used a strain of the Gh0st RAT characterized by a low detection rate. This RAT has previously been used by different threat actors in targeted attacks and also in cyber criminal campaigns.

“After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.” wrote ESET in a blog post.

The attack scheme is not different from other targeted attacks, threat actors sent spear phishing email to the victims, the messages, supposedly from “Tibet Press,” proposed to the victims the participation to a “rally for Tibet”. The email had a Word document attached that is used by attackers to exploit the CVE-2012-0158 and drop on the victims’ machine the Gh0st RAT.

targeted Tibetan NGOs with Gh0st RAT

Once the victims have opened the document, the Gh0st RAT would try to connect to the following two domains:

  • mailindia.imbss.in
  • godson355.vicp.cc

in addition, according to the experts the second domain has been used in targeted attacks in the past.

In time I’m writing the researchers to do not have information related to the nature of the actors behind the attacks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Gh0st RAT, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]