In continuous cyberattacks, a fake human rights group with the UN logo has been targeting Uyghurs.
Check Point Research (CPR) and Kaspersky’s GReAT team said on Thursday that the campaign is targeting Uyghurs, a Turkic ethnic group in Xinjiang, China, and is likely the work of a Chinese-speaking threat actor.
Potential victims are sent phishing documents branded with the United Nations’ Human Rights Council (UNHRC) logo. This document, titled UgyhurApplicationList.docx, contains fake information on human rights violations.
If the victim chooses to edit the file, VBA macro code verifies the PC’s architecture and downloads a 32- or 64-bit payload. The file, dubbed “OfficeUpdate.exe,” is shellcode that retrieves and loads a remote payload. The domains linked to the malicious email attachment lead to a malicious website that was used to distribute malware under the name of a phony human rights organization.
The domain “Turkic Culture and Heritage Foundation” (TCAHF) claims to work for “Tukric culture and human rights,” yet it is a clone of opensocietyfoundations.org, a legitimate civil rights organization.
This website, which is aimed toward Uyghurs looking for funding, tries to get visitors to download a “security scanner” before submitting the necessary information to apply for a grant. The software is a backdoor.
Although the website offered both a macOS and a Windows version, only the latter’s connection distributes the virus.
The backdoor was discovered in two versions: WebAssistant, which was delivered in May 2020, and TcahfUpdate, which was delivered in October.
Victims have been identified in China and Pakistan, particularly in Uyghur-populated areas.
While the gang does not appear to share any infrastructure with other known threat organizations, CPR and Kasperksy claim they are most likely Chinese-speaking and still active.
The researchers claim that “both domains redirect to the website of a Malaysian government agency named the “Terengganu Islamic Foundation.” “This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.”