14 DAY TRIAL // Cybercriminals continue to target Tibetan activists, but as it turns out, they slightly changed their attack tactics. Experts found that they are sending out emails that purport to contain instructions on how to use “Tibetan Input Method for Apple iOS 4.2 devices.”
It all starts with an email that carries two attachments: an RTF file and an archive.
The malicious files actually hide the Trojan known as TROJ_ARTIEF.EDX, designed to exploit a stack-based buffer overflow vulnerability in Microsoft Office products in order to drop a backdoor called Riler, infected with a variant of Sality, into the affected computer’s temporary folder.
To avoid raising any suspicion, the RTF file also opens a legitimate document that contains instructions on how to use the input method on Apple machines.
Once they find themselves on the computer, the malicious elements allow their masters to gain access to the machine and remotely control it.
Experts highlight the fact that cybercriminals rely more on more on the hybridization of malware.
“In this campaign, we can see that the attackers are starting to maximize the said vector by utilizing the previous malware hybridization trick to drop multiple malware payloads. Not only that this gives them the benefits of hybridization, it also helps them circumvent the challenges of further installing other malware,” Roland Dela Paz, threat response engineer at Trend Micro, explains.
Security solutions providers have issued numerous warnings to alert Tibetans on the cyber threats that target them.
Since the topic of Tibet and the country’s freedom has recorded a considerable growth in popularity, it’s expected that malicious operations will keep targeting Internet users who have an interest in the subject. That is why internauts are advised to be extra cautious when receiving Tibet-themed emails, or when coming across such messages on social media networks.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1