In the weeks leading up to the Dalai Lama’s 90th birthday, cybersecurity researchers identified two sophisticated cyber espionage campaigns, dubbed Operation Chat and Operation PhantomPrayers. These operations, attributed to Chinese state-sponsored actors, targeted Windows systems by exploiting increased traffic to Tibetan-themed websites, deploying advanced malware such as Ghost RAT and PhantomNet.
Strategic Web Compromise and Malware Deployment
The attackers initiated their campaigns by compromising legitimate Tibetan-related websites. They subtly altered hyperlinks to redirect visitors to malicious domains, notably those under niccenter[.]net. Unsuspecting users were prompted to download what appeared to be Tibetan-language chat applications. However, these downloads were Trojanized installers designed to deploy malware upon execution.
Once executed, these installers unleashed either Ghost RAT or the newer PhantomNet implant. Both malware variants provided the attackers with extensive surveillance capabilities, including access to files, webcams, microphones, and system controls.
Technical Breakdown of the Attack Chain
The infection process employed a multi-stage loading mechanism that exploited DLL sideloading in signed binaries. For instance, in the case of Ghost RAT, the legitimate Element.exe was used to sideload a malicious ffmpeg.dll (Stage-1 loader). This DLL decrypted embedded shellcode, which was then injected into the ImagingDevices.exe process. To ensure persistence, a registry entry was created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Element, causing the loader to execute at every system startup.
Similarly, Operation PhantomPrayers utilized DalaiLamaCheckin.exe to drop libvlc.dll along with an encrypted .tmp file into the %APPDATA%\Birthday directory. A shortcut named Birthday Reminder.lnk was placed in the Startup folder, ensuring that VLC.exe would sideload the malicious DLL upon user login.
The Stage-2 shellcode was compressed using the NRV2D algorithm, while the Stage-3 payloads were full PE executables with scrubbed headers to evade static analysis. The decryption process involved multiple layers, including RC4 and AES algorithms, to unlock the final payloads.
Command and Control Communication
Ghost RAT established communication with command and control (C2) servers at 104.234.15[.]90:19999 using a custom KuGou TCP protocol. The communication packets were encrypted with a modified RC4 algorithm, which was also used to obfuscate its on-disk configuration.
PhantomNet, on the other hand, supported both raw TCP and HTTPS protocols to communicate with its C2 server at 45.154.12[.]93:2233. The traffic was encrypted using AES with a dynamically derived key, enhancing the stealth and security of the communication.
Advanced Capabilities and Persistence Mechanisms
Both Ghost RAT and PhantomNet extended their functionalities through on-demand plugin DLLs, which were XOR- or AES-encoded until loaded. These plugins provided a range of capabilities, including remote shell access, keylogging, clipboard data theft, and full registry manipulation.
The attackers demonstrated a high level of sophistication by utilizing low-level Nt and Rtl system calls instead of higher-level Win32 APIs. This approach was intended to bypass many endpoint detection and response (EDR) hooks, thereby evading detection.
Implications and Recommendations
These campaigns underscore the persistent threat posed by state-sponsored cyber actors targeting specific communities and organizations. The use of legitimate software components to sideload malicious code highlights the need for vigilance in software supply chains and the importance of verifying the integrity of software downloads.
Organizations and individuals are advised to implement robust cybersecurity measures, including regular software updates, endpoint protection solutions, and user education on recognizing phishing attempts and suspicious downloads.
