The Uyghur community located in China and Pakistan has been the subject of an ongoing espionage campaign aiming to trick the targets into downloading a Windows backdoor to amass sensitive information from their systems.
“Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups,” according to joint research published by Check Point Research and Kaspersky today.
The Uyghurs are a Turkic ethnic minority group originating from Central and East Asia and are recognized as native to the Xinjiang Uyghur Autonomous Region in Northwest China. At least since 2015, government authorities have placed the region under tight surveillance, putting hundreds of thousands into prisons and internment camps that the government calls “Vocational Education and Training Centers.”
Over the years, the community has also been at the receiving end of a series of sustained cyberattacks that have leveraged exploit chains and watering holes to install spyware designed to harvest and exfiltrate sensitive data from email and messaging apps as well as plunder photos and login credentials.
Earlier this March, Facebook disclosed that it disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices, attributing the “persistent operation” to a China-based threat actor known as Evil Eye.
The latest cyber offensive follows a similar modus operandi in that the attacks involve sending UN-themed decoy documents (“UgyhurApplicationList.docx”) to the targets under the pretext of discussing human rights violations. The goal of the phishing message is to lure the recipients into installing a backdoor on the Windows machines.
In an alternative infection vector observed by the researchers, a fake human rights foundation called the “Turkic Culture and Heritage Foundation” (“tcahf[.]org”) — with its content copied from George Soros-founded Open Society Foundations — was used as a bait to download a .NET backdoor that purports to be a security scanner, only to connect to a remote server and transmit the gathered data, which includes system metadata and a list of installed apps and running processes.
“The malicious functionality of the TCAHF website is well disguised and only appears when the victim attempts to apply for a grant,” the researchers said. “The website then claims it must make sure the operating system is safe before entering sensitive information for the transaction, and therefore asks the victims to download a program to scan their environments.”
[출처 : 더해커뉴스 / 5.27.]