APT actors targeted Tibetan nongovernmental organizations (NGOs) in recent attacks surrounding the G20 2014 summit in Brisbane, Australia.
ESET researchers identified a Gh0st RAT sample that, they said, had a low number of detections among their users. This RAT has previously been used by various threat actors, in both targeted campaigns and crimeware-like operations.
In this specific attack, victims received an email as part of a spear phishing scheme. The email, supposedly from “Tibet Press,” invited recipients to a “rally for Tibet” and had a Word document attached, which victims presumed would provide more details. Instead, the document exploited CVE-2012-0158, which could allow Gh0st RAT to be installed.