2-Extended Analysis-Full

Communities @ Risk 43EXTENDED ANALYSIS: 2.2 Cluster Analysisthat rely entirely on social engineering, paired with targeted emails that are notcustomized for the target (TTI: 2.0), to moderately customized emails with malwarethat has minor code protection (TTI: 3.75). While the technical sophistication of themalware does not vary widely, all of the malware families observed show active andconsistent development over the course of the study.MALWARE ANALYSISThe malicious emails used a combination of social engineering, and exploits against avariety of vulnerabilities, to install malware on the victim’s computer.The vectors we observed include:• An attached .zip file containing an executable• An attached Word document using CVE-2009-0563• A link to a Java .jar file using CVE-2011-3544• A link to a Java .jar file using CVE-2012-0507The subject and body text of all of the emails targeting the Tibet Groups containedinformation relating to Tibetan news and activities (e.g., current world events, upcomingrallies, and self-immolations).We see Word document vectors first being sent in early 2013. Interestingly, theseattacks use a vulnerability made public back in 2009. The use of this vulnerabilitymay be due to the Java vulnerabilities having a higher chance of being patched bythe Tibetan community, after they received substantial media attention. However, asthe Word documents were all part of one campaign, it is likely just coincidence, as anemail carrying the later Java vulnerability was received while the Word campaign wasstill underway.We observed three malware families targeting OS X, all of which are simple RATswith low technical sophistication scores:• Revir/IMuler (technical score: 1.0)• Olyx/Lamadai/PubSab (technical score: 1.0)• MacControl (technical score: 1.25)