Freely subscribe to our NEWSLETTER

Two Infection Vectors

CPR and Kaspersky GReAT´s researchers identified two infection vectors used by the attackers:
1. Via emailed documents. The malicious documents try to download a backdoor into Windows. These documents are likely sent via email to specific targets.
2. Via a fake foundation website. The website tries to convince its visitors into downloading a .NET backdoor, under the pretense of downloading a “security scanner”, prior to the filling of sensitive information needed for a grant application.

The Malicious UN-themed Delivery Document

During the investigation, a malicious UN-themed document named "UgyhurApplicationList.docx" caught the interest of CPR and Kaspersky GReAT researchers. The document, pasted below, carried the logo of the United Nations Human Rights Council (UNHRC), and contained decoy content from a United Nation’s general assembly discussing human rights violations.

The Fake Human Rights Foundation Website

Further analysis of the document above led researchers to the discovery of a related fake foundation website that attempts to target Uyghurs wishing to apply for a grant. The attackers made up a human rights foundation called TCAHF, standing for “Turkic Culture and Heritage Foundation”. The attackers alleged that the organization funds and supports groups working for Tukric culture and human rights. However, most of the website’s content is copied from a legitimate website with the url “opensocietyfoundations.org”.

The malicious functionality of the TCAHF website is well disguised, and it only appears when a target attempts to apply for a grant. The website then claims it must make sure the operating system is safe before entering sensitive information for the transaction, and therefore asks the victims to download a program to scan their environments. The website offers two download options, one for MacOS and the other for Windows.

Victims

Researchers assess that this campaign is intended to target the Uyghur minority or organizations supporting them. CPR and Kaspersky Labs’ telemetry supported this assessment, as we have identified only a handful of victims in Pakistan and China. In both cases, the victims were located in regions mostly populated by the Uyghur minority.

Attribution

Although researchers were unable to find code or infrastructure similarities to a known threat group, they attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, researchers noticed that some excerpts of the code were identical to VBA code that appeared in multiple Chinese forums, and might have been copied from there directly.

Lotem Finkelsteen, Head of Threat Intelligence at Check Point:
“What we see here are cyber attacks targeting the Uyghurs. These attacks clearly utilize the theme of the UN human rights council to trick its targets into downloading malicious malware. We believe that these cyber attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community. The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”