Malware writers are exploiting four RTF parser vulnerabilities, in a long-running campaign to target journalists, human rights activists, and Tibetans across Hong Kong and Taiwan.
An Arbor Networks study found miscreants are exploiting since-patched vulnerabilities in Microsoft Office's handling of rich text files (CVE-2012-0158; CVE-2012-1856; CVE-2015-1641; and CVE-2015-1770), which help deliver at least six forms of Chinese malware.
The research team reckons the characteristics of the tools, tactics and procedures matches pre-existing targeting patterns towards the “Five Poisons” – organisations and individuals it said were "associated with perceived threats to Chinese government rule: Uyghurs, Tibetans, Falun Gong, members of the democracy movement and advocates for an independent Taiwan". It overlaps with another Chinese operation dubbed Shrouded Crossbow.
"The RTF files observed herein contained up to four unique exploits for various versions of Office," the team says in an intelligence report [PDF].
"Due to the easy delivery of RTF files as attachments and the observation of numerous spear phish samples which reveal precise targeting and timelines, it is likely that spearphish was the primary vector of choice for most or all of the targeted exploitation scenarios."
The attacks follow the cycle typical of those hitting Tibetan activists: a phishing email purporting to contain information relating to US sanctions which contains a malicious attachment.
Those files are compiled using a builder labelled the Four Element Sword which also resembles known malware.
Patched vulnerabilities work fine for targeting activists in the region thanks to poor maintenance which keeps users exposed to old bugs.
The attacks come ahead of the Tibetan general election which spells opportunity for phishers prepared to craft malicious campaigns around political news. ®