We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue. One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet. The From field indicates that it came from a key officer from the ATC or Australian Tibet Council. But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.
We received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56th Session of the Commission on the Status of Women at the United Nations Commission. Like the first sample, it comes with a .DOC file of the complete speech. This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.
Based on our analysis, we have reason to believe that these messages are part of a targeted attack. Both samples use specific political issues as social engineering bait. We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement. The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised. To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.
Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.
|Email Subject||Attachment File Name||Attachment Type||Attachment Detection Name||Dropped File Detection Name|
|Germany Chancellor Again Comments on Lhasa protests||Germany Chancellor Again Comments on Lhasa Protests.doc||.DOC||TROJ_ARTIEF.AE||TSPY_MARADE.AA|
|TWA’s speech in the meeting of the United Nations Commission for Human Rights||TheSpeech.doc||.DOC||TROJ_ARTIEF.CP||TROJ_REDOSDR.AH|
|Fowarding of TWA message||English_Final_Statement.doc, English_Final_Statement_1.doc||.DOC||TROJ_ARTIEF.DA, TROJ_ARTIEF.DB||TROJ_SWISYN.GT|
|Open Letter To President Hu||Letter.doc||.DOC||TROJ_ARTIEF.DD||TSPY_ROFU.NSS|
|Tibetan environmental situations for the past 10 years||Tibetan environmental statistics.xls||.XLS||TROJ_MDROPPR.BJ||BKDR_MECIV.AC|
|An Urgent Appeal Co-signed by Three Tibetans||Appeal to Tibetans To Cease Self-Immolation.doc||.DOC||TROJ_ARTIEF.CX||TROJ_SASFIS.UL|
|About TYC Centrex Notice and New email id of TYC Centrex||Centrex_Contact.doc||.DOC||TROJ_ARTIEF.CZ||TROJ_SHWOM.A|
|[Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day.||march10.doc||.DOC||TROJ_ARTIEF.DF||TROJ_SHWOM.A|
|10th march speech||10th March final.doc, 10th March final.pdf||.DOC, .PDF||TROJ_ARTIEF.CU||BKDR_MECIV.AA, BKDR_MECIV.AD|
|FW: Call for End to Burnings||Support List.xls||.XLS||TROJ_MDROPPR.BK||BKDR_PROTUX.BK, BKDR_PROTUX.BJ|
|Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012||Public Talk by the Dalai Lama.doc||.DOC||TROJ_ARTIEF.DG||TROJ_SWISYN.GT|
|Bonafide Certificate of Miss Tenzin Tselha||tentselha.zip (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg)||ZIP (containing LNK, EXE, JPG)||TROJ_REDOSDR.AH||TROJ_REDOSDR.AH|
|TWA mourns the self immolation deaths of two female protesters this past weekend||TWA mourns the self immolation deaths of two female protesters.doc||.DOC||TROJ_ARTIEF.SM3||TSPY_MARADE.AA, TSPY_ZBOT.BPG|
|Self-Immolations: New heightened form of Non Violent protests in Tibet||TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc||.DOC||TROJ_ARTIEF.DH||BKDR_AGENT.ZZZZ|
|Arrest and protests mar ‘Losar’ week in Tibet.eml||an appealing letter to the United Nations.doc||.DOC||TROJ_ARTIEF.CW||TROJ_SWISYN.HV|
|UN Human Rights Council publishes written statement on discrimination in Tibet.eml||G1210456.doc||.DOC||TROJ_ARTIEF.CT||TROJ_SWISYN.HV|
|Students For A Free Tibet !.eml||Action Plan for March 10th.doc||.DOC||TROJ_ARTIEF.JD||BKDR_DUOJEEN.A|
The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Word vulnerability to drop infostealing malware.
If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.
We will continue to monitor this campaign and update this blog post with our analysis.
With additional text by Nart Villeneuve