This blog post reports on a malware attack in which a compromised version of Kakao Talk, an Android-based mobile messaging client, was sent in a highly-targeted email to a prominent individual in the Tibetan community. The malware is designed to send a user’s contacts, SMS message history, and cellular network location to attackers. This post was updated on 18 April 2013.
This is the update to “Permission to Spy: An Analysis of Android Malware Targeting Tibetans”, written in Tibetan language.
In this research brief, Seth Hardy describes malware (“GLASSES”) sent in 2010 that is a simple downloader closely related to malware described by Mandiant in their APT1 report. GLASSES appears to be a previous version of malware called GOGGLES by Mandiant, and was sent in a highly targeted email to a Tibetan human rights organization, demonstrating that APT1 is involved in more than just industrial and corporate espionage.
This is an update to our November 2011 report titledThe Canadian Connection: An investigation of Syrian government and Hezbullah web hosting in Canada, which examined the use of web servers based in Canada, the U.S., and European countries to host Syrian government websites and websites of the Lebanese political party Hezbullah. Our findings indicate that, while many of the websites we examined in 2011 have changed hosting providers, a number of Syrian government and Hezbullah websites still maintain an online presence through the services of North American and European web hosts.
The Citizen Lab has analyzed recent targeted malware attacks against Tibetan organizations that share a common payload — LURK malware — and command-and-control server, as well as several other features.
The Citizen Lab analyzes a recent targeted malware attack against the Tibetan community spoofing the June 14, 2012 resolution of the European Parliament (EP) on the human rights situation in Tibet. While such repurposing of authentic content for use as a malware delivery mechanism is not unusual, this incident raises serious questions surrounding the use of legitimate political resources for illegitimate ends.
The use of remote surveillance software against activists has been a feature of the ongoing conflict in Syria. Today, the EFF and Citizen Lab report on the use of a new toolkit by a previously observed attacker. This actor has been circulating malware which surreptitiously installs BlackShades RAT on victims machines.
This post is the first in a series of analyses that the Citizen Lab is preparing regarding the urgent and ongoing threat presented by information operations deployed against Tibetans and others who advocate for Tibetan rights and freedoms, including in Tibetan areas of China.
A new report, entitled The Canadian Connection: An investigation of Syrian government and Hezbullah web hosting in Canada, continues Citizen Lab research into the intersection of the private sector, authoritarianism, and cyberspace regulation, turning our attention to a component of the Internet that does not typically receive the same amount of attention as filtering, surveillance, and computer network attack products and services: web hosting services.