Ongoing Cyber Attacks use United Nations Logo to Target Uyghurs
May 2021 by Kaspersky´s GReAT, Check Point Research (CPR)
In collaboration with researchers from Kaspersky´s GReAT, Check Point Research (CPR) has discovered ongoing cyber attacks targeting Uyghurs in Xinjiang, China and Pakistan. The attackers behind these cyber attacks send malicious documents under the guise of the United Nations (UN) and a fake human rights foundations to their targets, tricking them into installing a backdoor to the Microsoft Windows software running on their computers. Once the backdoor is installed on a target’s computer, the attackers can proceed to collect nearly any information they want, as well as the ability to execute additional malware on a victim’s computer.
Two Infection Vectors
CPR and Kaspersky GReAT´s researchers identified two infection vectors used by the attackers:
1. Via emailed documents. The malicious documents try to download a backdoor into Windows. These documents are likely sent via email to specific targets.
2. Via a fake foundation website. The website tries to convince its visitors into downloading a .NET backdoor, under the pretense of downloading a “security scanner”, prior to the filling of sensitive information needed for a grant application.
The Malicious UN-themed Delivery Document
During the investigation, a malicious UN-themed document named "UgyhurApplicationList.docx" caught the interest of CPR and Kaspersky GReAT researchers. The document, pasted below, carried the logo of the United Nations Human Rights Council (UNHRC), and contained decoy content from a United Nation’s general assembly discussing human rights violations.
The Fake Human Rights Foundation Website
Further analysis of the document above led researchers to the discovery of a related fake foundation website that attempts to target Uyghurs wishing to apply for a grant. The attackers made up a human rights foundation called TCAHF, standing for “Turkic Culture and Heritage Foundation”. The attackers alleged that the organization funds and supports groups working for Tukric culture and human rights. However, most of the website’s content is copied from a legitimate website with the url “opensocietyfoundations.org”.
The malicious functionality of the TCAHF website is well disguised, and it only appears when a target attempts to apply for a grant. The website then claims it must make sure the operating system is safe before entering sensitive information for the transaction, and therefore asks the victims to download a program to scan their environments. The website offers two download options, one for MacOS and the other for Windows.
Researchers assess that this campaign is intended to target the Uyghur minority or organizations supporting them. CPR and Kaspersky Labs’ telemetry supported this assessment, as we have identified only a handful of victims in Pakistan and China. In both cases, the victims were located in regions mostly populated by the Uyghur minority.
Although researchers were unable to find code or infrastructure similarities to a known threat group, they attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, researchers noticed that some excerpts of the code were identical to VBA code that appeared in multiple Chinese forums, and might have been copied from there directly.
Lotem Finkelsteen, Head of Threat Intelligence at Check Point: “What we see here are cyber attacks targeting the Uyghurs. These attacks clearly utilize the theme of the UN human rights council to trick its targets into downloading malicious malware. We believe that these cyber attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community. The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”