ExileRAT Malware Targets Tibetan Exile Government

Researchers have discovered a new cyber-espionage campaign targeting the organization representing the exiled Tibetan government that uses malware sharing the same command-and-control (C2) as previous LuckyCat Android- and Windows-based trojans.


Cisco Talos security researchers recently observed a malware campaign delivering a malicious Microsoft PowerPoint document to users of a mailing list run by the Central Tibetan Administration (CTA). a group that officially represents the Tibetan government-in-exile. The group is no stranger to state-sponsored attacks, having been a target of attacks for more than a decade, including a previous series of attacks in 2016 believed to come from China.

Upon closer examination, researchers realized that the infrastructure used for the command and control (C2) in this campaign has been previously linked to the LuckyCat Android- and Windows-based trojans, the former of which also targeted Tibetan activitists.

“The discovery of the C2 led us to identify multiple campaigns being hosted on the C2 using the same payloads, configurations and more,” according to a blog post by researcher Jaeson Schultz, technical leader at Cisco Talos Intelligence & Research Group, describing researchers’ findings.

The document used in the attack was a malicious PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document, Schultz wrote. Attackers used this file “as the dropper to allow the attacker to execute various JavaScript scripts to download the payload,” he said.

Like the previous attacks, this one also showed clear political motivation and cyber-espionage, as it manifested itself with an e-mail message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” researchers said. The victims were meant to be subscribers of the news mailing list for those in the Tibetan organization.

“Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain,” Schultz wrote.

Anatomy of an attack

The new malware, which researchers dubbed ExileRAT, abuses a known vulnerability in Microsoft Office, CVE-2017-0199, an arbitrary code execution that resides in the “slide1.xml.rels” file, researchers said.

It also uses a PPSX that is actually a copy of a legitimate PDF with the file name “Tibet-was-never-a-part-of-China” available for download from the tibet.net CTA website. The file was published Nov. 1, 2018, which shows the attackers wasted no time in exploiting the posted document, Schultz wrote.

Digging deeper, researchers found in the malware’s C2 the same C2 domain of an Android RAT Trojan created on Jan. 3, a newer version of the LuckyCat Android RAT used in 2012 against pro-Tibetan sympathizers, Schultz wrote.

Criminals, Not State Actors, Target Russian Oil Company in 3-Year Cyber Attack

The newer version boasts the same features as the 2012 version, which were: file uploading, downloading, information stealing and remote shell. It also adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing, he said.

All of these capabilities clearly point to the attack being part of a continuing trend of state-sponsored actors targeting civilians in cyber-espionage campaigns for political purposes, Schultz wrote. He cited other attacks Cisco Talos researchers tracked recently as evidence of the same–including November’s “Persian Stalker,” which exploited vulnerabilities in secure messaging apps to steal users’ private messages, and a separate mobile-device attack in India last year.

Cisco Links Remote Access Tool Remcos to Cybercriminal Underground

Cisco Talos researchers did not identify the source of the ExileRAT attack, which they were able to halt fairly early in the campaign, Schultz said. Researchers hope will have those responsible on their heels. “We hope that the disruption caused by Cisco Talos will ensure the adversary must regroup,” Schultz wrote.

In the meantime, organizations–whether fearing political attacks or not–should continue to practice defensive patching of systems against known vulnerabilities to help them avoid falling victim to similar scenarios, Schultz wrote.

The Tibetan government in exile has been a frequent target of attacks by groups believed to be aligned with the government of China. An investigation in 2009 revealed a widespread campaign, dubbed GhostNet, targeting the Dalai Lama and his representatives. Tibetan non governmental organizations have also been the target of espionage campaigns and distributed denial of service attacks designed to stifle their online presence.