ExileRAT shares C2 with LuckyCat, targets Tibet

Warren Mercer, Paul Rascagneres and Jaeson Schultz authored this post.

Executive summary

Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. In our case, we received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” meant to attack subscribers of this Tibetan news mailing list. Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain. This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.


This attack was yet another evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities. For example, an attack we called “Persian Stalker” in November utilized vulnerabilities in secure messaging apps to steal messages that users thought were private. A separate attack in India last year also targeted mobile devices, this time through the use of malicious mobile device management (MDM) software. This PPSX document was using the CVE-2017-0199 vulnerability to force a victim to download an additional payload. Clearly, the defensive best-practice of patching systems against known vulnerabilities continues to be critical and can help insulate organizations against these kinds of attacks. These specific attacks are most likely aimed at espionage as opposed to financial gain. Having stopped this attack quickly, we hope that the disruption caused by Cisco Talos will ensure the adversary must regroup.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Below is a screenshot showing how AMP can protect customers from this threat.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Back to blog home page

Join our Newsletter

Get updates and the latest scoop in your inbox