ExileRAT Shares C2 with LuckyCat, Targets Tibet (Feb 4, 2019)
Researchers from Cisco Talos discovered a spear phishing campaign targeting individuals in Tibet that installs the "ExileRAT" Android Remote Access Trojan. The phishing email targets subscribers to the organisation, "Central Tibetan Administration," which represents the Tibetan government-in-exile, and uses a malicious attachment pretending to be the document "Tibet-was-never-a-part-of-China" to trick users into opening it. The installation process begins by first by exploiting a registered Microsoft Office code execution vulnerability, "CVE-2017-0199," and then establishing a connection to the Command and Control (C2) server. The C2 then delivers a script that downloads the payload that install the RAT. The RAT is capable of obtaining system information including computer name, listing drives, network adapter, process name, and username, as well as using get/push files and execute/terminate processes. The C2 infrastructure is similar to that of the malware, "LuckyCat," that has been observed to target Tibetan activists in the past and is attributed to Chinese threat groups.
Recommendation: The use of current events in spear phishing campaigns is yet another aspect of phishing that all users must be aware of. In the case of ExileRat infection, the affected system must be wiped and reformatted. Incident response should begin with identifying the infection vector, and all other users who received the email should be checked for similar infection. Users should always be suspicious of emails that contain attachments or links when they are received spontaneously. Threat actors are constantly adapting and becoming more sophisticated in their delivery methods for phishing, better disguising the senders to appear legitimate. Education and awareness is crucial to recognise potentially malicious emails.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.