APT actors trying to use big events as a lure to compromise their targets is nothing new. Tibetan NGOs being targeted by APT actors is also nothing new. Thus, surrounding the upcoming G20 2014 summit that is held in Brisbane, Australia, we were expecting to see G20 themed threats targeted at Tibetan NGOs. A Win32/Farfli (alias Gh0st RAT) sample ultimately confirmed our suspicions.
Gh0st RAT is an off-the-shelf RAT that is used by a variety of threat actors. It has been used in the past in numerous targeted campaigns as well as crimeware-like operations. The sample we were looking at had a very low number of detections amongst our users: only two hits in China. After a quick dynamic analysis, we saw that the magic word used in network communications by this sample is “LURK0”, instead of the infamous “Gh0st”. This particular magic word has been used against Tibetan groups in the past.
Targeted Attacks against Tibetan Advocates using G20 Summit
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.