Connect with us

Hi, what are you looking for?


Malware & Threats

New Malware Campaign Targets Uyghur Activists On Mac OS X

Researchers have observed a recent spike in attacks against the Uyghur community to monitor their email and chat activities, according AlienVault and Kaspersky Lab.

Researchers have observed a recent spike in attacks against the Uyghur community to monitor their email and chat activities, according AlienVault and Kaspersky Lab.

The latest campaign against the Uyghur, a Turkic, ethnic group primarily living in China, exploited a three-year-old vulnerability in Microsoft Office for Mac, researchers from AlienVault and Kaspersky said. The two companies jointly investigated the campaign and published separate blog posts on Wednesday.

There have been a number of Mac OS X attacks targeting various ethnic groups and other non-governmental organizations over the past year. AlienVault and Kaspersky previously uncovered espionage campaigns against several pro-Tibetan NGOs exploiting unpatched versions of Microsoft Office and Oracle’s Java on the Mac last March, and Kaspersky identified a newer version targeting Uyghur activists in June.

Mac OS X MalwareThe booby-trapped Word document used the same exploit as the one used in previous attacks, Jaime Blasco, director of AlienVault Labs, wrote on The Vault blog.

Mac users are still operating under a “false sense of security” that Macs don’t get malware, said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “With these attacks, we continue to see an expansion of the APT capabilities to attack Mac OS X users,” Raiu wrote on the company’s Securelist blog.

In the latest campaign, which targeted several Uyghur activists and most notably the World Uyghur Congress, users were tricked into opening a malicious Word document which exploited a Microsoft Office vulnerability which had been fixed back in 2009 (CVE-2009-0563). Users who viewed the file on an unpatched version of Microsoft Word were infected with a backdoor Trojan called TinySHell. The backdoor performs only two functions in this campaign, to give attackers a remote shell to execute code and to transfer files in and out of the compromised machine, Blasco said.

The filenames are designed to trick victims into thinking they are opening pro-Uyghur messages, such as “Concerns over Uyghur People,” “The Universal Declaration of Human Rights and the Unrecognized Population Groups,” and “Uyghur Political Prisoner.” One way to identify the documents as malicious is to look at the “author” field in the document properties. The value is “always ‘captain,’” Blasco said, adding that “captain” has been linked to similar attacks in the past.

This particular backdoor establishes an encrypted connection back to command-and-control servers and can also steal the user’s contacts lists. Even if the backdoor is discovered and removed quickly, the “attacker has a list of trusted contacts to spoof” with malicious emails in order to regain control of the computer, Raiu said. The attacker may also be attempting to identify other potential high-value targets this victim is connected to.

Advertisement. Scroll to continue reading.

Raiu said some of the filenames were observed in 2012, but there was a “significant spike” in the attacks in January and February, indicating the attackers are currently active.

AlienVault linked one of the domain names for the C&C servers to 11 others found in other campaigns because they all had the same email address in the domain registration data. Researchers traced those 12 hostnames back to four IP addresses associated with a well-known California-based hosting company.

The particular bullet-proof hosting provider “ignores pretty much all shutdown requests,” Raiu said.

Macs have been hit by several of these types of campaigns, where attackers siphon out intellectual property and sensitive communications slowly over a long period of time. Users are reminded to patch software and operating system patches as soon as possible, and avoid clicking on links included in emails. Many of the attacks appear to come from a friend, work colleague or have some legitimate business purpose. “If you notice suspicious looking e-mails, it’s always a good idea to ask the sender if he actually sent you that document in the first place,” Raiu said.

Raiu also recommended using a Gmail account, if possible, since Google warns activists if the company detects possible nation-state sponsored attacks on the account and offers security protections such as two-factor authentication.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...