A malware campaign targeting activists at pro-Tibet organisations could be the work of the same Chinese group behind a major attack on the chemical industry last year, researchers from AlienVault have suggested.

The new attack uses a malicious Word attachment sent by email to organisations including the Central Tibet Administration and International Campaign for Tibet using English-language subject lines promoting a Tibetan religious festival.

This attachment attempts to exploit a relatively old Microsoft vulnerability (CVE-2010-3333), to launch GhostNet’s Gh0st RAT Trojan, normally designed to steal data or even record sound files via a PC’s microphone. It is also capable of performing realtime surveillance on an infected machine.

AlienVault notes a number of similarities to the Nitro campaign between July and September 2011, a large-scale attack on the chemical and defence industry against up to 48 different companies.

The malware used in the Nitro attacks was Poison Ivy, a Chinese-developed Trojan related to Gh0st RAT, using a VeriSign digital certificate issued to a Chinese company before being revoked on 12 December; embedded within the code calling the Trojan is the string ‘ByShe’, identical to that used by Nitro.

The modus operandi of attacking political organisations is also consistent with Nitro, believed to have started life with a concerted campaign against human rights groups in early 2011.

“It is no surprise that Tibetan organisations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organisations with impunity,” said Alien Vault’s Jaime Blasco.

“Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”

A detailed analysis of the Nitro attacks was published by Symantec. If Alien Vault’s detective work is correct, it looks as if the same group has developed a parallel business making political attacks.

Alien Vault promises to reveal more details about the latest attacks in the coming weeks.