ExileRAT

ExileRAT is a Remote Access Trojan (RAT) that has been used to target computers associated with the Central Tibetan Administration or CTA. The CTA, based in India, is the organization that represents the Tibetan government in exile officially since Tibet is occupied by China currently, an act that the CTA considers as unlawful. Because ExileRAT is being used to target the CTA, there is some suspicion that ExileRAT may be part of a state-sponsored malware attack. It is important that computer users associated with divisive political causes such as the free Tibet movement take extra steps to safeguard the security and networks of their computers since they are often a prime target for malware attacks.

Why the ExileRAT Campaign is Threatening

Recently, PC security researchers reported spam emails targeting subscribers to the mailing list maintained by CTA. The victims of these emails received emails supposedly coming from CTA inviting them to a march and event, and containing a Microsoft PowerPoint attachment titled ' Was Never A Part of China.' ExileRAT will be downloaded and installed onto the victim's computer by this attachment, which uses corrupted scripts to accomplish this task. Once installed, ExileRAT is used to collect information from the infected computer. It is clear that the purpose of ExileRAT is espionage rather than trying to make money at the expense of computer users since its main goal is to gather data. This reinforces the theory that ExileRAT is state-sponsored, possibly designed by a government attempting to spy on possible enemies or civilians.

How the Campaign Being Used to Distribute ExileRAT Works

ExileRAT exists independently of this campaign targeting CTA, but this is one of the most prominent recent uses of this threat. The first emails associated with this recent spam email campaign first appeared on January 30, 2019. ExileRAT, however, predates this campaign. The corrupted document used to deliver ExileRAT is a copy of a legitimate PDF file that can be downloaded from the CTA website, allowing the victim to be tricked into viewing its contents while ExileRAT is installed in the background.

ExileRAT takes advantage of the security vulnerability exploit CVE-2017-0199 to compromise the victim's computer. Once ExileRAT has been installed, it establishes a connection with its Command and Control server, sending information about the affected computer such as the computer name, username, drives, network adapter, process names, etc. ExileRAT also can be used to deliver corrupted files to the infected computer, manipulate file processes, and collect data directly. Some of the infrastructure associated with the ExileRAT campaign has been linked to other RATs, such as the Android RAT and LuckyCat, which share a Command and Control server with the campaign used to deliver ExileRAT to CTA subscribers. These other RATs were used in attacks against Tibetan activists as far back as 2012; which makes these attacks not new at all.

Staying Safe from Threats Like ExileRAT

Political activists must make sure to stay safe from threats like ExileRAT since specifically malware distributors and developers target them frequently. Since ExileRAT is mainly delivered via email, it is important to confirm the sender and origin of any email message, especially those containing attached files and embedded links. Computer users also should be suspicious of any additional content like this that is included in an unsolicited email message. Computer users should protect their computers from threats like ExileRAT by using a security program that is always operational, which can be used to intercept corrupted scripts associated with campaigns delivering ExileRAT or similar threats. It also is important to establish strong passwords and online security protocols.