ExileRat Targeting Tibetan Supporters via Malicious PowerPoint Docs
Researchers with the Cisco Talos Group have discovered a malspam campaign targeting the mailing list of the Central Tibetan Administration (CTA), which is also referred to as the Tibetan Government in Exile. In the first stage of the attack, threat actors sent an email to everyone on the mailing list, while making it look like the CTA was the sender.
The subject of the email was “Tibet-was-never-a-part-of-China”, and included an attachment of the same name. The attachment was a malicious version of a legitimate CTA PowerPoint presentation that installed the ExileRat remote access Trojan (RAT) when it was opened. The RAT enabled threat actors to steal information from and execute commands on infected computers.