When it comes to targeted attacks, Tibetan-themed campaigns seem to be a popular choice for attackers. They don’t lose momentum and just keep coming back day after day.
Recently I saw one of these attacks which had an interesting chain of events. It used multiple layers, including one that abused a legitimate, signed Nvidia application. Although we were already protecting users, I decided to dig a little deeper and find out what was happening.
The path from malicious document to installed backdoor was not as simple as you might imagine.
What I found was a multi-stage installation process involving a security vulnerability, two stages of shellcode, an archive, and an innocent application abused by the attackers. In this article we will explore how the attack worked, including technical details along the way.
