Written by Sean Lyngaas

A recently discovered PowerPoint file offers new clues on how hackers are trying to spy on Tibet’s government-in-exile.

The malicious document was emailed to subscribers of a mailing list managed by the Central Tibetan Administration (CTA), the organization representing Tibet’s exiled government, according to Talos, Cisco’s threat intelligence unit. Tibet is officially part of China, but Tibetan leaders have lived in exile in India for decades. The email masqueraded as a file that would appeal to their politics.

The PowerPoint file name – “Tibet-was-never-a-part-of-China.ppsx” – caters to the CTA mailing list, as does the message in the body of the email marking the upcoming 60th anniversary of the exile of Tibetan spiritual leader the Dalai Lama, researchers said.

“Unfortunately, this [is] just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons,” Talos researchers said in a blog published Monday. They did not attribute the malware to a particular nation-state. The Tibetan diaspora has been targeted in a series of malware campaigns since 2016.

The recent espionage operation mimicked online tools that CTA mailing-list members likely would have trusted. For example, the PowerPoint file copied a legitimate PDF available on CTA’s website, Talos found. The attackers also altered the mailing list’s “Reply-to” form to direct responses to a Gmail address they controlled, and registered a domain that closely resembled Gmail, likely to aid their phishing campaigns.

The research shows that the PowerPoint file was the tip of the spear: it let hackers execute multiple JavaScripts to deliver the payload. The attack abused an unpatched Microsoft Office remote-code execution vulnerability.

The PowerPoint document led the researchers through a labyrinth of other malicious infrastructure. From there, they discovered other hacking campaigns that shared similarities with the attack on CTA, including Windows trojans and an updated version of Android malware that monitored Tibetan activists in 2012.

Researchers said the seven-year-old malware underwent a makeover last month to allow it to record audio and steal a user’s location and personal contacts.

While acknowledging that the perpetrators’ determination was concerning, the Talos blog post ended on a positive note. “Having stopped this attack quickly, we hope that the disruption caused by Cisco Talos will ensure the adversary must regroup,” researchers wrote.