Malicious Email Campaign Uses Current Socio-Political Events as Lure for Targeted Attack

We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue.  One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet.  The From field indicates that it came from a key officer from the ATC or Australian Tibet Council.  But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.

We received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56^th Session of the Commission on the Status of Women at the United Nation Commission. Like the first sample, it comes with a .DOC file of the complete speech.  This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.

Based on our analysis, we have reason to believe that these messages are part of a targeted attack.  Both samples use specific political issues as social engineering bait.  We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement.  The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised.  To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.

Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.

Email Subject	Attachment File Name	Attachment Type	Attachment Detection Name	Dropped File Detection Name
Germany Chancellor Again Comments on Lhasa protests	Germany Chancellor Again Comments on Lhasa Protests.doc	.DOC	TROJ_ARTIEF.SV	TSPY_MARADE.AA
TWA’s speech in the meeting of the United Nations Commission for Human Rights	TheSpeech.doc	.DOC	TROJ_ARTIEF.CP	TROJ_REDOSDR.AH
Fowarding of TWA message	English_Final_Statement.doc, English_Final_Statement_1.doc	.DOC	TROJ_ARTIEF.DA, TROJ_ARTIEF.DB	TROJ_SWISYN.GT
Open Letter To President Hu	Letter.doc	.DOC	TROJ_ARTIEF.DD	TSPY_ROFU.NSS
Tibetan environmental situations for the past 10 years	Tibetan environmental statistics.xls	.XLS	TROJ_MDROPPR.BJ	BKDR_MECIV.AC
An Urgent Appeal Co-signed by Three Tibetans	Appeal to Tibetans To Cease Self-Immolation.doc	.DOC	TROJ_ARTIEF.CX	TROJ_SASFIS.UL
About TYC Centrex Notice and New email id of TYC Centrex	Centrex_Contact.doc	.DOC	TROJ_ARTIEF.CZ	TROJ_SHWOM.A
[Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day.	march10.doc	.DOC	TROJ_ARTIEF.DF	TROJ_SHWOM.A
10th march speech	10th March final.doc, 10th March final.pdf	.DOC, .PDF	TROJ_ARTIEF.CU	BKDR_MECIV.AA, BKDR_MECIV.AD
FW: Call for End to Burnings	Support List.xls	.XLS	TROJ_MDROPPR.BK	BKDR_PROTUX.BK, BKDR_PROTUX.BJ
Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012	Public Talk by the Dalai Lama.doc	.DOC	TROJ_ARTIEF.DG	TROJ_SWISYN.GT
Bonafide Certificate of Miss Tenzin Tselha	tentselha.zip (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg)	ZIP (containing LNK, EXE, JPG)	TROJ_REDOSDR.AH	TROJ_REDOSDR.AH
TWA mourns the self immolation deaths of two female protesters this past weekend	TWA mourns the self immolation deaths of two female protesters.doc	.DOC	TROJ_ARTIEF.SM3	TSPY_MARADE.AA, TSPY_ZBOT.BPG
Self-Immolations: New heightened form of Non Violent protests in Tibet	TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc	.DOC	TROJ_ARTIEF.DH	BKDR_AGENT.ZZZZ
Arrest and protests mar ‘Losar’ week in Tibet.eml	an appealing letter to the United Nations.doc	.DOC	TROJ_ARTIEF.CW	TROJ_SWISYN.HV
UN Human Rights Council publishes written statement on discrimination in Tibet.eml	G1210456.doc	.DOC	TROJ_ARTIEF.CT	TROJ_SWISYN.HV
Students For A Free Tibet !.eml	Action Plan for March 10th.doc	.DOC	TROJ_ARTIEF.JD	BKDR_DUOJEEN.A

The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Wordvulnerability to drop infostealing malware.

If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.

We will continue to monitor this campaign and update this blog post with our analysis.