14 DAY TRIAL // The Uyghur minority in China and Pakistan is at the center of an ongoing espionage campaign aimed at tricking targets into downloading a Windows backdoor to collect sensitive data from their PCs.
According to joint research published by Check Point Research and Kaspersky, "Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups".
The Uyghurs are a Turkic ethnic minority indigenous to central and East Asia Xinjiang Uyghur Autonomous Region Northwest China. Since at least 2015, government authorities have kept a close eye on the region, detaining and interning hundreds of thousands in what the government calls Vocational Education and Training Centers.
Over the years, the community has also been subjected to a series of persistent cyberattacks that used exploit chains and watering holes to install malware aimed at collecting and exfiltrating personal data from email and messaging apps, as well as stealing images and login passwords.
Evil Eye Facebook announced in early March this year that it had disrupted a network of malicious actors using its platform to target the Uighur community and lure them into downloading malware that would enable surveillance of their devices.
The latest cyberattack uses a similar tactic, sending fake documents with the theme UN (UgyhurApplicationList.docx) to targeted individuals under the guise of discussing human rights issues. The purpose of the phishing message is to trick recipients into installing a backdoor on their Windows devices.
So far, at least two variants of the Windows exploit have been discovered, one called WebAssistant that was downloadable from the rogue website in May 2020, and another called TcahfUpdate that was available in October 2020.
Conclusion
The joint investigation into this previously unreported threat organization, that first surfaced in early 2020, reveals a sophisticated attack that targeted supporters and members of the Uighur minority through various infection routes.
The attackers' malicious executables not only exfiltrate basic information about the compromised system but can also download a second-stage payload or, in the case of the documents, retrieve further directives from the C2 server. This means that the researchers have not yet seen all the capabilities of this malware or the attackers' entire course of action after a successful infection.
The fact that the attackers are continuously registering domains indicates that this activity is ongoing and that additional sightings or versions of the virus may be seen in the near future.