The Uyghur community in China and Pakistan was the target of an ongoing espionage campaign by tricking them to download a Windows backdoor to collect sensitive information from their systems.

According to researchers from Check Point Research (CPR) and Kaspersky’s GReAT team, the campaign abused United Nations (UN) branding to target the victims. 

The targets were the Uyghurs, a Turkic ethnic minority found in Xinjiang, China and the campaign was believed to be the work of a Chinese-speaking threat actor.

The targets are sent phishing documents that are branded with the United Nations’ Human Rights Council (UNHRC) logo. The document, which has been named UgyhurApplicationList.docx, contains decoy material relating to discussions of human rights violations. 

If the victim enables editing on opening the file, VBA macro code checks the PC’s architecture and downloads either a 32- or 64-payload. 

The file dubbed “OfficeUpdate.exe,” is shellcode that fetches and loads a remote payload, but at the time of analysis, the IP was unusable. However, the domains linked to the malicious email attachment expanded the investigation further to a malicious website used for malware delivery under the guise of a fake human rights organization.

The “Turkic Culture and Heritage Foundation” (TCAHF) domain claims to work for “Tukric culture and human rights,” but the copy has been stolen from opensocietyfoundations.org, a legitimate civil rights outfit. 

This website, directed at Uyghurs seeking funding, tries to lure visitors into downloading a “security scanner” prior to filing the information required to apply for a grant. But the software is actually a backdoor. 

The website offered a macOS and Windows version but only the link to the latter downloaded the malware. 

Two versions of the backdoor were found; WebAssistant that was served in May 2020, and TcahfUpdate which was loaded from October. The backdoors establish persistence on victim systems, conduct cyberespionage and data theft, and may be used to execute additional payloads. 

Victims are located in China and Pakistan in regions mostly populated by Uyghurs.

The post Hackers use fake foundations to target Uyghur Minority first appeared on Cybersafe News.

You May Also Like

GitHub was hacked. Source code is filtered from different repositories

In its latest security report, GitHub confirmed that a group of threat…

Poly Network hackers return millions of dollars in stolen cryptocurrency; they claim they don’t care about money

Just a few hours ago the heads of the Poly Network platform…

Big logistics and freight forwarding company with 350 locations and 18,000 employees worldwide shutdowns operation after ransomware attack

Expeditors International, a renowned U.S.-based logistics and transportation firm, became the victim…

British telco Virgin Media fined £50k penalty for sending spam emails to more than 400,000 clients who opted-out of marketing emails

Virgin Media could be fined up to £50,000 after British authorities detected…