AlienVault has discovered a range of spear phishing attacks taking place against a number of Tibetan organisations, apparently from Chinese attackers.

According to the Unified Security Information and Event Management (SIEM) solutions specialist, the attacks signal a serious escalation into cyberspace of the cold war that has existed between the two countries since the Chinese army marched into majority Tibetan territory back in 1950.

Jaime Blasco, head of labs with AlienVault, said "Our research suggests that the attacks we have been tracking over the last few months are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January," he said.

 "The spear phishing emails aren’t that sophisticated and feature a Microsoft dot-DOC attachment that exploits a known Office stack overflow vulnerability dating back to last September, which has since been patched by Microsoft," he added.

 The AlienVault researcher went on to say that the malware code methodology isn’t particularly sophisticated and uses particular techniques in order to hide from anti-virus software but specifically targets other anti-virus software.

 The malware is also digitally signed, he says, to give it an extra layer of authenticity - even though the certificate is valid as the root authority would not be present on the computer the malware infects.

The bad news, he adds, is that the VirusTotal service - which provides free online checking of viruses on up to 44 IT security applications - shows that these obfuscation (hiding) steps mean the infection is detected by just two AV vendors at the time of the attacks.

Analysing the attack methodology further reveals that the malware's Internet traffic - as it tries to communicate to a command-and-control server somewhere in China - flags up as a variation on the infamous Gh0st RAT (Remote Access Trojan), he explained, suggesting that the programming team behind this spread phishing attack really know their stuff.

The use of command-and-control servers, says Blasco, allows cybercriminals to gain remote control of the machines that the malware infects and, as we have seen with other complex malware, allow the structure and purpose of the malware program code to be changed remotely.

Put simply, he explained, this allows the cybercriminals to remotely adapt the infection in response to changing circumstances, such as AntiVirus software being updated to search specifically for the malware in question, so starting the entire cat-and-mouse detection process off once again.

“The nature of these spear phishing attacks is such that the fingerprints are similar to previous infection attacks which date back several years – and the Nitro Attacks we saw between April and November last year,” he said.

“The Nitro Attacks were notable for their complexity and successful attacks on at least 100 major servers, using a backdoor malware known as Poison Ivy and other RATs (Remote Access Tools).

For more on AlienVault: http://www.alienvault.com

For more on the Tibetan spear phishing attacks: see the AlienVault blog http://labs.alienvault.com/labs/index.php/2012/targeted-attacks-against-tibet-organizations/

ENDS

For more information please contact:

Yvonne Eskenzi – 0207 1832 832 or email This email address is being protected from spambots. You need JavaScript enabled to view it.