Skip to content

Hide Navigation Hide TOC

SURTR (dd919e75-57e8-4e5c-9451-8be6e734f1f3)

The Citizen Lab analyzed a malicious email sent to Tibetan organizations in June 2013. The email in question purported to be from a prominent member of the Tibetan community and repurposed content from a community mailing list. Attached to the email were what appeared to be three Microsoft Word documents (.doc), but which were trojaned with a malware family we call “Surtr”.1 All three attachments drop the exact same malware. We have seen the Surtr malware family used in attacks on Tibetan groups dating back to November 2012.

Cluster A Galaxy A Cluster B Galaxy B Level
SURTR (dd919e75-57e8-4e5c-9451-8be6e734f1f3) Tool surtr (8666afcc-8cc2-4856-83de-b7e8b4309367) Malpedia 1
SURTR (dd919e75-57e8-4e5c-9451-8be6e734f1f3) Tool SunOrcal (80365d3a-6d46-4195-a772-364749a6dc06) Tool 1
SURTR (dd919e75-57e8-4e5c-9451-8be6e734f1f3) Tool Reaver (22b75148-9d58-4fa7-8459-6ef25bbaf759) Tool 1
SunOrcal (80365d3a-6d46-4195-a772-364749a6dc06) Tool SunOrcal (a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4) Malpedia 2
SunOrcal (80365d3a-6d46-4195-a772-364749a6dc06) Tool Reaver (22b75148-9d58-4fa7-8459-6ef25bbaf759) Tool 2
Reaver (826c31ca-2617-47e4-b236-205da3881182) Malpedia Reaver (22b75148-9d58-4fa7-8459-6ef25bbaf759) Tool 2