Full Report
APT actors trying to use big events as a lure to compromise their targets is nothing new. Tibetan NGOs being targeted by APT actors is also nothing new. Thus, surrounding the upcoming G20 2014 summit that is held in Brisbane, Australia, we were expecting to see G20 themed threats targeted at Tibetan NGOs. A Win32/Farfli (alias Gh0st RAT) sample ultimately confirmed our suspicions.
Analysis Summary
# Threat Actor: Unattributed APT Actor (Utilizing Gh0st RAT/Win32/Farfli)
## Attribution & Identity
The actor is an APT targeting Tibetan-affiliated organizations. Specific attribution remains undetermined due to insufficient evidence, although the activity shows characteristics common to targeted attacks. The threat leverages the widely available **Win32/Farfli** malware, also known as **Gh0st RAT**.
## Activity Summary
The actor conducted a campaign centered around the **G20 2014 summit in Brisbane, Australia**. They used a spear-phishing email, seemingly sourced from an Australian Tibet Council rally announcement, to lure targets into opening a malicious document titled "A\_Solution\_for\_Tibet.doc." This activity confirms prior expectations of G20-themed threats targeting Tibetan NGOs.
## Tactics, Techniques & Procedures
- **Spear Phishing:** Used convincing email content related to a political event (G20 rally) to trick recipients.
- **Exploitation of Vulnerabilities:** The delivered Word document specifically exploited **CVE-2012-0158** to achieve initial compromise.
- **Use standardized tools:** Deploying the **Gh0st RAT** for remote control.
- **Custom C2 Signatures:** The Gh0st RAT sample used a specific magic word ("LURK0") in network communications, which has been observed previously in attacks against Tibetan groups.
## Targeting
- Sectors: Non-Governmental Organizations (NGOs) with religious or political agendas.
- Geography: Initial targets include recipients in Europe (implied by the recipient being the European Central Tibetan Administration). The lure was focused on an event in Australia.
- Victims: Specifically mentioned targeting the **European Central Tibetan Administration**. The general profile is Tibetan NGOs.
## Tools & Infrastructure
- **Malware families used:** Win32/Farfli (Gh0st RAT).
- **Infrastructure (C2, domains, IPs):**
- mailindia[.]imbss[.]in
- godson355[.]vicp[.]cc (Observed in targeted attacks previously)
- **Dropped Location (Windows XP):** C:\Documents and Settings\Administrator\Application Data\Micbt (File name: RasTls.exe)
## Implications
The actor demonstrates a sustained interest in Tibetan groups, utilizing major geopolitical events (like the G20 summit) as highly effective lures. The use of the well-known but likely still functional CVE-2012-0158 shows a pragmatism in targeting systems that may not be fully patched, even in politically sensitive organizations.
## Mitigations
- Exercise extreme caution regarding email attachments, especially those related to current events or high-profile political gatherings.
- Ensure all operating systems and software (including Microsoft Office) are fully patched, referencing vulnerabilities like CVE-2012-0158.
- Organizations with political, religious, or environmental agendas should maintain heightened vigilance against spear-phishing.