Just like what we have reported recently, we have spotted yet another targeted attack campaign that uses Pro-Tibetan sentiments as social engineering ploy for the attackers to infiltrate target systems. And yes, this is again targeting Windows and Mac systems.
It starts with the email below:
Users clicking on the link included in the email will be led to a site with a script that determines if the user is using a Windows or a Mac system.
The site is currently not resolving but we managed to get the code from Google’s cache:
The script will load a Java applet exploiting CVE-2011-3544, which is an unspecified vulnerability in the Java Runtime Environment component. The said Java applet is detected as JAVA_RHINO.AE. If exploitation is successful, either a SASFIS backdoor (BKDR_SASFIS.EVL) for Windows OS, or an OLYX backdoor (OSX_OLYX.EVL) for Mac OSX, will be installed in the system.
Both backdoors report back to the same C&C server. Moreover, both backdoors have functionalities that include features to allow them to upload and download files and navigate through files and directories in the affected system, providing them further means for their lateral movement and data exfiltration activities.
This reminds us of the previous blog post from our friends in MS about OLYX, which states that the backdoor code is similar to the Gh0St RAT code. This code is one of the favorite backdoor payloads used in advanced persistent campaigns that also target NGOs like Pro-Tibetan organizations.
It is also worth mentioning that we saw the same Command-and-Control server in both a recent Gh0st RAT attack and the targeted attack against Mac OSX users we recently blogged about.
Users are protected from JAVA_RHINO.AE as Trend Micro products detect and remove the said malware. In addition, Trend Micro Deep Security users should apply Rule 1004867 – Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability to protect networks from this attack.
We are continuing to monitor developments in this case and will post more information accordingly. Stay tuned.
Share this article