The United Nations peace symbol has been abused in a campaign to spy on Uyghurs. Czech Point Research (CPR) and Kaspersky’s Creed team revealed it on Thursday In the countryside, Which appears to be the work of Chinese-speaking cybercriminals, mainly targeting Uyghurs, a Turkish ethnic minority in Xinjiang, China and Pakistan.
Targets receive phishing documents bearing the United Nations Human Rights Council (UNHRC) logo. Entitled UgyhurApplicationList.docx, this document contains deceptive material related to discussions about human rights violations. However, when the victim opens the file, the VBA macro code enters the system system and downloads a malicious 32 or 64 bit processor.
This file, called “OfficeUpdate.exe”, is a shell that retrieves data from a remote computer, but at the time of analysis, the IP appears unusable. Documents related to the attachment of malicious email allowed the investigation to be extended to a website used for the dissemination of a pseudo-humanitarian organization.
The “Turkish Culture and Heritage Foundation” (DCAHF) domain claims to work for “Turkish culture and human rights,” but it was copied from the Open SocietyFoundations.org, a formal civil rights organization.
The website, aimed at Uyghurs, is a fundraiser that seeks to download the “cyber security scanner” before providing the information needed to apply for the grant. However, the software is actually a scam.
The website provided a MacOS and Windows version, but only the link could download the malware. Two versions of the backs have been found; Web Assistant provided in May 2020 and TcahfUpdate loaded from October. Victims install stability on computers, spy on the Internet and steal data, and can be used to run additional payloads.
The malicious group is still active
The victims were in China and Pakistan, mostly Uyghur areas.
According to CPR and Kaspersky, although the group does not share any infrastructure with other known cybercriminal groups, it is mostly of Chinese descent and is still active, with new domains being registered at the same address this year. IP, connected past attacks.
“Both domains are being redirected to the Malaysian government agency ‘Terengganu Islamic Foundation’ website,” the researchers said. “This suggests that attackers in countries such as Malaysia and Turkey are pursuing other targets, although they may be developing these resources because we have not yet found malicious artifacts related to them.”