Email spy campaign targeted recipients on CTA mailing list


(, Feb06’19) – Computer researchers have recently detected a malicious email attachment which steals information from users on a mailing list run by the Central Tibetan Administration (CTA) at Dharamsala, India. The attacker uses the title of a legitimate download file but the unsuspecting recipient instead gets a malicious software that siphons information from their computer system.

Researchers with Cisco Talos recently discovered emails that spammed subscribers on the CTA’s mailing list, reported Feb 4. The emails, which purported to be from the CTA, said they were commemorating the upcoming 60th anniversary of the Dalai Lama’s exile on Mar 31 with an attached Microsoft PowerPoint document titled “Tibet Was Never A Part of China.” 

This publication also received a similar email, but it purported to be from the Tibetan Women’s Association and was promptly deleted.

The researchers have found the attachment to be actually a malicious PPSX file used as a dropper to allow an attacker to execute various JavaScript scripts and eventually download a payload onto the victims’ systems.

The attack is said to exploit CVE-2017-0199, a high-severity vulnerability in Microsoft Office, which allows remote attackers to execute arbitrary code via a crafted document. Once downloaded, the malicious PPSX file then executes a Javascript that’s responsible for downloading the payload, ExileRAT, (“syshost.exe”) from the command and control server (C2).

ExileRAT is capable of siphoning information on the system (computer name, username, listing drives, network adapter, process name), pushing files and executing or terminating processes, the report said.

The infrastructure used for the C2 in the campaign was previously found to be linked to the LuckyCat Android RAT, which was used in 2012 against Tibetan activists, in a campaign targeting pro-Tibetan sympathizers, the researchers have said.

“This newer [Jan 3] version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing,” Cisco’s researchers were quoted as saying.

“Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain,” researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz, were quoted as saying in a Feb 4 analysis. “This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.”

The researchers have said they had no further information for now regarding the bad actor behind this malicious campaign.

The report cited Craig Williams, director of outreach for Cisco Talos, as saying the firm observed the first sample from the campaign on Jan 30.

Everyone on the CTA mailing list is said to have received the email.

The researchers have said the attackers had modified the standard “Reply-To” header so that any responses would be directed back to an email address belonging to the bad actors (mediabureauin [at]

“The slideshow’s file name, ‘Tibet-was-never-a-part-of-China,’ is identical to a legitimate PDF published Nov 1, 2018 (by the CTA), which demonstrates the attacker moved quickly to abuse this,” they have said.


Please enter your comment!
Please enter your name here