• The malspam campaign relied on a mailing list managed by Central Tibetan Administration (CTA).
  • ExileRAT shared the same command-and-control (C2) server that was used by LuckyCat trojan earlier.

A new malspam campaign has been found targeting the Tibetan government-in-exile. This campaign apparently targets a mailing list managed by CTA. In the spam email, a malicious PowerPoint attachment named ‘Tibet-was-never-a-part-of-China.ppsx’ contains scripts to download ExileRAT into systems.

According to Cisco Talos who discovered this campaign, ExileRAT was found using shared resources for its operations.

“The infrastructure used for the command and control (C2) in this campaign has been previously linked to the LuckyCat Android- and Windows-based trojans. The discovery of the C2 led us to identify multiple campaigns being hosted on the C2 using the same payloads, configurations and more. The malicious PPSX file was used as the dropper to allow the attacker to execute various JavaScript scripts to download the payload,” stated the Talos blog.

Modus Operandi

The emails were sent to everyone who subscribed to CTA’s mailing list. DearMail, an Indian bulk-mail service provider is believed to have maintained the mailing list.

In the email, the body contains a message referencing the 60th anniversary of the exile of Tibetan guru Dalai Lama. A PowerPoint document attached at the end is actually a PDF copy of the book Tibet Was Never A Part Of China, where a part of ExileRAT script is hidden.

If the PPSX file is unzipped, it connects to a C2 server and delivers a JavaScript to download a payload called “syshost.exe”/ExileRAT from the C2. At this point, the system is infected and begins scouting system information such as computer name, username, listing drives, network adapter, process name etc., as well as handle system processes.

Cyware Publisher