Cybercriminals Leverage Mass Stabbing in China to Distribute Gh0st RAT

Email with RAT attached to it

Cybercriminals are leveraging the recent incident in which tens of people were stabbed to death at a railway station in Kunming, China, to distribute a piece of malware that can help them take over infected computers.

The incident occurred at the beginning of this month. A total of 33 people were reportedly stabbed to death and many others were injured.

Trend Micro has spotted malicious emails carrying the subject line “Fw: Kunming train station knife attack leaves 33 dead and more than 130 injudred.”

The emails describe the incident by citing a number of sources. They instruct recipients to open the attachments to learn more.

There are a total of five files attached to the emails – four image files and one document. The image files are harmless, but the document actually hides a Trojan that’s designed to exploit an old Microsoft Office vulnerability (CVE-2012-0158) to drop a backdoor.

The threat, BKDR_GHOST.LRK or better known as Gh0st RAT, is designed to enable cybercriminals to take control of the infected machine. It can also be used to capture information via keylogging, screen grabs and audio recording.

Researchers have found a string in the malware’s command and control (C&C) communications that’s similar to one spotted in the GhostNet campaign, an old cyber espionage operation conducted by Chinese actors against Tibetan institutions.

Experts warn that while these particular emails are likely part of a targeted attack, regular users should also be on the lookout for such messages because many cybercriminal operations rely on current topics to trick potential victims.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s