HomeTech PlusTECH & OTHER NEWSFake human rights organization, UN branding used to target Uyghurs in ongoing...

Fake human rights organization, UN branding used to target Uyghurs in ongoing cyberattacks

United Nations (UN) branding is being abused in a campaign designed to spy on Uyghurs. 

On Thursday, Check Point Research (CPR) and Kaspersky’s GReAT team said that the campaign, likely to be the work of a Chinese-speaking threat actor, is focused on Uyghurs, a Turkic ethnic minority found in Xinjiang, China. 

Potential victims are sent phishing documents branded with the United Nations’ Human Rights Council (UNHRC) logo. Named UgyhurApplicationList.docx, this document contains decoy material relating to discussions of human rights violations. 

However, if the victim enables editing on opening the file, VBA macro code then checks the PC’s architecture and downloads either a 32- or 64-payload. 

screenshot-2021-05-26-at-16-17-33.png

Dubbed “OfficeUpdate.exe,” the file is shellcode that fetches and loads a remote payload, but at the time of analysis, the IP was unusable. However, the domains linked to the malicious email attachment expanded the investigation further to a malicious website used for malware delivery under the guise of a fake human rights organization.

The “Turkic Culture and Heritage Foundation” (TCAHF) domain claims to work for “Tukric culture and human rights,” but the copy has been stolen from opensocietyfoundations.org, a legitimate civil rights outfit. 

This website, directed at Uyghurs seeking funding, tries to lure visitors into downloading a “security scanner” prior to filing the information required to apply for a grant. However, the software is actually a backdoor. 

The website offered a macOS and Windows version but only the link to the latter downloaded the malware. 

Two versions of the backdoor were found; WebAssistant that was served in May 2020, and TcahfUpdate which was loaded from October. The backdoors establish persistence on victim systems, conduct cyberespionage and data theft, and may be used to execute additional payloads. 

Victims have been located in China and Pakistan in regions mostly populated by Uyghurs.

CPR and Kasperksy say that while the group doesn’t appear to share any infrastructure with other known threat groups, they are most likely Chinese-speaking and are still active, with new domains registered this year to the same IP address connected to past attacks. 

“Both domains redirect to the website of a Malaysian government body called the “Terengganu Islamic Foundation”,” the researchers say. “This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS