INTRODUCTION
Malicious actors are involved in tricking the Uyghur community to download a Windows backdoor in attempts to extract confidential and sensitive information from their systems.
DETAILS
According to a research by Check Point Research and in cooperation with Kaspersky, the Uyghur group located in China and Pakistan were a target of threat actors who went above and beyond in terms of effort by “disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups.”
The group is a Xinjiang Uyghur Autonomous Region native located in Northwest China and recognized as a regional minority by the Chinese government. The Uyghur community is held under strict surveillance with the region being closely monitored and for the past six years, thousands of individuals have been put through inhumane methods which the government calls as “Vocational Education and Training Centers.”
It is believed that these camps are employed in abusing of human rights, torture, and even genocide (the allegation of which has been denied). The Human Rights Watch says that the camps “have been used to indoctrinate Uyghurs and other Muslims since 2017 as part of a people’s war on terror.”
The Uyghur group has also previously been a target of espionage campaigns and exfiltration of personal data including photos and account information.
In March, Facebook said that it intervened and interrupted an attempt from an attack group belonging to China and going by the moniker of Evil Eye which targeted the Uyghur group with intent of having the victims download malicious software that would allow exposure of their systems and devices.
The threat actors formulated their attack through a phishing campaign and targeted the emotions of the Uyghur group by sending out “documents” focusing on human rights violation. The attackers used UN themes (for example, a logo of United Nations Human Rights Council) to make these malicious files more trustable.
“After clicking on ‘Enable Editing’, a malicious external template is downloaded from officemodel[.]org. This template has embedded VBA macro code, which then checks the operating system’s architecture, and based on this proceeds to decode a 32-bit or a 64-bit payload,” said the research.
The embedded payloads in the document are decoded and then saved in the %TEMP% directory as “OfficeUpdate.exe.” The researchers mentioned that the payload performs evasion and anti-debugging techniques with the help from certain functions.
The domain present in the document resolved to an IP address meant to impersonate Office of the United Nations High Commissioner for Human Rights.
Upon further investigation, the researchers found another IP address that resolved to a domain pretending to be the website of the “Turkic Culture and Heritage Foundation” (TCAHF).
According to the researchers, “TCAHF is supposedly a private organization that funds and supports groups working for ‘Turkic culture and human rights’, when in truth it is a made up entity, and most of its website’s content is copied from the legitimate opensocietyfoundations.org.”
Nothing in the website seemingly looks out of order until a visitor attempts to apply for grant upon which the website asks the visitor to download a program that scans their Windows environment, claiming that it is to make sure that the operating system is safe before securing a transaction.
The downloaded tool actually turns out to be a .NET backdoor that connects to a remote server assisting in the exfiltration of data including currently running processes and installed applications.
The malicious website hosted at least two variants of Windows implants with one being dubbed as WebAssistant and the other as TchafUpdate. The former was available in May 2020 while the latter was seen in October 2020.
The lack of similarities in code belonging to any known threat group and the resemblance of the same code to VBA code appearing in numerous Chinese forums led the researchers to attribute the attack to a Chinese-speaking threat actor.
There is reason to believe that the same attacker is still active having recently registered two new domains (malaysiatcahf[.]org and icislieri[.]com) resolving to the same IP address as officemodel[.]org. “The second domain (icislieri[.]com) appears to be impersonating the Turkish Ministry of the Interior, but currently both domains redirect to the website of a Malaysian government body called the ‘Terengganu Islamic Foundation’,” said the researchers. This implies that the attacker might be looking to target Malaysia and Turkey even though, at the moment, there isn’t any malicious activity monitored on those domains to back the idea.
