Level 34
Content Creator
Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. In our case, we received an email message from the CTA mailing list containing an attachment, "Tibet-was-never-a-part-of-China.ppsx," meant to attack subscribers of this Tibetan news mailing list. Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain. This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.

Once we began analysis on this document, we discovered additional campaigns that shared infrastructure and payloads. The infrastructure used for the command and control (C2) in this campaign has been previously linked to the LuckyCat Android- and Windows-based trojans. The discovery of the C2 led us to identify multiple campaigns being hosted on the C2 using the same payloads, configurations and more. The malicious PPSX file was used as the dropper to allow the attacker to execute various JavaScript scripts to download the payload. The PPSX document sent to the CTA mailing list looked like this:
Everyone on the CTA's mailing list received this email. The mailing list's infrastructure is run out of DearMail, an India-based company that bills itself as a "powerful cloud enabled web-based email campaign manager." The attackers modified the standard Reply-To header normally used by the CTA mailings so that any responses would be directed back to an email address belonging to the attackers: mediabureauin [at] gmail.com. The email message itself references the upcoming 60th anniversary of the Dalai Lama's exile on March 31. The document is a large slide show, over 240 slides in length, claimed to have been created by the Central Tibetan Administration. This PPSX is actually a copy of a legitimate PDF available for download from the tibet.net homepage from the Central Tibetan Administration here. The slideshow's file name, "Tibet-was-never-a-part-of-China," is identical to a legitimate PDF published November 1, 2018, which demonstrates the attacker moved quickly to abuse this. This attack abuses CVE-2017-0199, an arbitrary code execution vulnerability in Microsoft Office.
This attack was yet another evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities. For example, an attack we called "Persian Stalker" in November utilized vulnerabilities in secure messaging apps to steal messages that users thought were private. A separate attack in India last year also targeted mobile devices, this time through the use of malicious mobile device management (MDM) software.