Cybercriminals use fake foundations to target Uyghur Minority


The Uyghur community in China and Pakistan has been the target of a long-running espionage campaign that involved luring them into downloading a Windows backdoor in order to capture sensitive data from their computers.


The campaign exploited United Nations (UN) branding to target the victims, according to researchers from Check Point Research (CPR) and Kaspersky’s GReAT team.


The Uyghurs, a Turkic ethnic group in China’s Xinjiang region, were the target of the campaign, which was thought to be carried out by a Chinese-speaking threat actor.


Phishing documents using the emblem of the United Nations Human Rights Council (UNHRC) are emailed to the targets.


The document, dubbed UgyhurApplicationList.docx, contains fraudulent information on human rights breaches.



Uyghur community phishing attack, Computer Security, computers, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cyberattack, cyberattacks, cybersafe news, cybersecurity, data breach, data stealing malware,  Uyghur cyberattack victim, E-Commerce, fake malware, hacker news, hacking news, how to hack, information security, InfoSec, infosec news, Uyghur community cyberattack, Uyghur community hacked, Iranian hacking group, linux, Mac, Malware, malware removal, network security, online security, personal data exposed, ransomware, ransomware attack, ransomware gang, ransomware group, ransomware malware, ransomware news, RCE, Remote Access Trojan, Remote Code Execution, rootkit, Security, smartphone, software vulnerability, spyware, Supply Chain, support, system update app, system update malware app, tech, tech news, tech support, tech updates, technical support, trojan, virus, virus removal, Vulnerability, what is ransomware, phishing attack,
Source: CPR (Delivery document carrying the UNHCR logo)



VBA macro code checks the PC’s architecture and downloads either a 32- or 64-payload if the victim enables editing while opening the file.


The file “OfficeUpdate.exe” is shellcode that retrieves and loads a remote payload, although the IP address was unavailable at the time of study.


The domains linked to the malicious email attachment, on the other hand, led to a malicious website that was used to distribute malware under the appearance of a fraudulent human rights organization.


The domain “Turkic Culture and Heritage Foundation” (TCAHF) claims to work for “Tukric culture and human rights,” yet it is a clone of, a legal civil rights organization.


This website, which is aimed toward Uyghurs looking for money, tries to get visitors to download a “security scanner” before submitting the necessary information to apply for a grant.


However, the software is a backdoor.


Although the website offered both a macOS and a Windows version, only the latter’s connection downloaded the virus.


The backdoor was discovered in two versions: WebAssistant, which was provided in May 2020, and TcahfUpdate, which was loaded in October.


Backdoors can be used to establish persistence on victim systems, conduct cyberattacks, and steal data, as well as execute extra payloads.


Victims have been found in China and Pakistan, particularly in Uyghur-populated areas.



Also read: Bose Data Breach: suffered a major ransomware attack


You might also like: Domino’s data breach: Users’ data available on dark web


You might also like: Air India Data Breach: Over 4.5 millions customers’ data impacted