The Uyghur community in China and Pakistan has been the target of a long-running espionage campaign that involved luring them into downloading a Windows backdoor in order to capture sensitive data from their computers.
The campaign exploited United Nations (UN) branding to target the victims, according to researchers from Check Point Research (CPR) and Kaspersky’s GReAT team.
The Uyghurs, a Turkic ethnic group in China’s Xinjiang region, were the target of the campaign, which was thought to be carried out by a Chinese-speaking threat actor.
Phishing documents using the emblem of the United Nations Human Rights Council (UNHRC) are emailed to the targets.
The document, dubbed UgyhurApplicationList.docx, contains fraudulent information on human rights breaches.
VBA macro code checks the PC’s architecture and downloads either a 32- or 64-payload if the victim enables editing while opening the file.
The file “OfficeUpdate.exe” is shellcode that retrieves and loads a remote payload, although the IP address was unavailable at the time of study.
The domains linked to the malicious email attachment, on the other hand, led to a malicious website that was used to distribute malware under the appearance of a fraudulent human rights organization.
The domain “Turkic Culture and Heritage Foundation” (TCAHF) claims to work for “Tukric culture and human rights,” yet it is a clone of opensocietyfoundations.org, a legal civil rights organization.
This website, which is aimed toward Uyghurs looking for money, tries to get visitors to download a “security scanner” before submitting the necessary information to apply for a grant.
However, the software is a backdoor.
Although the website offered both a macOS and a Windows version, only the latter’s connection downloaded the virus.
The backdoor was discovered in two versions: WebAssistant, which was provided in May 2020, and TcahfUpdate, which was loaded in October.
Backdoors can be used to establish persistence on victim systems, conduct cyberattacks, and steal data, as well as execute extra payloads.
Victims have been found in China and Pakistan, particularly in Uyghur-populated areas.
You might also like: Domino’s data breach: Users’ data available on dark web
You might also like: Air India Data Breach: Over 4.5 millions customers’ data impacted