Spam mail with Gh0st RAT targets Tibet organizations

AlienVault has detected phishing attacks against Tibetan organizations , apparently from Chinese attackers. AlientValut believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

A phishing email related to Kalachakra Initiation with a Microsoft word attachment targets Tibetan organizations, try to exploit a known Office stack overflow vulnerability (CVE-2010-3333).

After investigating, researchers discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone.

Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.