Email campaigns still targeting pro-Tibetan orgs

Malicious Tibetan-themed email campaigns are still going strong, targeting pro-Tibetan organizations and making them inadvertently install malware on their machines.

The following apparently innocuous email has recently been spotted by Trend Micro researchers:

The offered link takes the victims to a site where a script detects whether their machine runs on Windows or Mac OS.

Then, it loads a Java applet that exploits a vulnerability in the systems to download and install a backdoor that suits the detected OS – SASFIS for Windows, OLYX for Mac OS.

“Both backdoors report back to the same C&C server,” explain the researchers.

“Moreover, both backdoors have functionalities that include features to allow them to upload and download files and navigate through files and directories in the affected system, providing them further means for their lateral movement and data exfiltration activities.”

They also point out that the OLYX backdoor is very similar to the Gh0St RAT, one of the preferred remote access tools of attackers behind the advanced persistent campaigns that have been targeting pro-Tibetan organizations and NGOs for a while now.

Also, this particular C&C server has been spotted a number of times before in conjunction with these and similar attacks.