Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Malware Campaign Targets Uyghur Activists On Mac OS X

Researchers have observed a recent spike in attacks against the Uyghur community to monitor their email and chat activities, according AlienVault and Kaspersky Lab.

Researchers have observed a recent spike in attacks against the Uyghur community to monitor their email and chat activities, according AlienVault and Kaspersky Lab.

The latest campaign against the Uyghur, a Turkic, ethnic group primarily living in China, exploited a three-year-old vulnerability in Microsoft Office for Mac, researchers from AlienVault and Kaspersky said. The two companies jointly investigated the campaign and published separate blog posts on Wednesday.

There have been a number of Mac OS X attacks targeting various ethnic groups and other non-governmental organizations over the past year. AlienVault and Kaspersky previously uncovered espionage campaigns against several pro-Tibetan NGOs exploiting unpatched versions of Microsoft Office and Oracle’s Java on the Mac last March, and Kaspersky identified a newer version targeting Uyghur activists in June.

Mac OS X MalwareThe booby-trapped Word document used the same exploit as the one used in previous attacks, Jaime Blasco, director of AlienVault Labs, wrote on The Vault blog.

Mac users are still operating under a “false sense of security” that Macs don’t get malware, said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “With these attacks, we continue to see an expansion of the APT capabilities to attack Mac OS X users,” Raiu wrote on the company’s Securelist blog.

In the latest campaign, which targeted several Uyghur activists and most notably the World Uyghur Congress, users were tricked into opening a malicious Word document which exploited a Microsoft Office vulnerability which had been fixed back in 2009 (CVE-2009-0563). Users who viewed the file on an unpatched version of Microsoft Word were infected with a backdoor Trojan called TinySHell. The backdoor performs only two functions in this campaign, to give attackers a remote shell to execute code and to transfer files in and out of the compromised machine, Blasco said.

The filenames are designed to trick victims into thinking they are opening pro-Uyghur messages, such as “Concerns over Uyghur People,” “The Universal Declaration of Human Rights and the Unrecognized Population Groups,” and “Uyghur Political Prisoner.” One way to identify the documents as malicious is to look at the “author” field in the document properties. The value is “always ‘captain,’” Blasco said, adding that “captain” has been linked to similar attacks in the past.

This particular backdoor establishes an encrypted connection back to command-and-control servers and can also steal the user’s contacts lists. Even if the backdoor is discovered and removed quickly, the “attacker has a list of trusted contacts to spoof” with malicious emails in order to regain control of the computer, Raiu said. The attacker may also be attempting to identify other potential high-value targets this victim is connected to.

Raiu said some of the filenames were observed in 2012, but there was a “significant spike” in the attacks in January and February, indicating the attackers are currently active.

Advertisement. Scroll to continue reading.

AlienVault linked one of the domain names for the C&C servers to 11 others found in other campaigns because they all had the same email address in the domain registration data. Researchers traced those 12 hostnames back to four IP addresses associated with a well-known California-based hosting company.

The particular bullet-proof hosting provider “ignores pretty much all shutdown requests,” Raiu said.

Macs have been hit by several of these types of campaigns, where attackers siphon out intellectual property and sensitive communications slowly over a long period of time. Users are reminded to patch software and operating system patches as soon as possible, and avoid clicking on links included in emails. Many of the attacks appear to come from a friend, work colleague or have some legitimate business purpose. “If you notice suspicious looking e-mails, it’s always a good idea to ask the sender if he actually sent you that document in the first place,” Raiu said.

Raiu also recommended using a Gmail account, if possible, since Google warns activists if the company detects possible nation-state sponsored attacks on the account and offers security protections such as two-factor authentication.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.