Researchers have observed a recent spike in attacks against the Uyghur community to monitor their email and chat activities, according AlienVault and Kaspersky Lab.
The latest campaign against the Uyghur, a Turkic, ethnic group primarily living in China, exploited a three-year-old vulnerability in Microsoft Office for Mac, researchers from AlienVault and Kaspersky said. The two companies jointly investigated the campaign and published separate blog posts on Wednesday.
There have been a number of Mac OS X attacks targeting various ethnic groups and other non-governmental organizations over the past year. AlienVault and Kaspersky previously uncovered espionage campaigns against several pro-Tibetan NGOs exploiting unpatched versions of Microsoft Office and Oracle’s Java on the Mac last March, and Kaspersky identified a newer version targeting Uyghur activists in June.
Mac users are still operating under a “false sense of security” that Macs don’t get malware, said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “With these attacks, we continue to see an expansion of the APT capabilities to attack Mac OS X users,” Raiu wrote on the company’s Securelist blog.
In the latest campaign, which targeted several Uyghur activists and most notably the World Uyghur Congress, users were tricked into opening a malicious Word document which exploited a Microsoft Office vulnerability which had been fixed back in 2009 (CVE-2009-0563). Users who viewed the file on an unpatched version of Microsoft Word were infected with a backdoor Trojan called TinySHell. The backdoor performs only two functions in this campaign, to give attackers a remote shell to execute code and to transfer files in and out of the compromised machine, Blasco said.
The filenames are designed to trick victims into thinking they are opening pro-Uyghur messages, such as “Concerns over Uyghur People,” “The Universal Declaration of Human Rights and the Unrecognized Population Groups,” and “Uyghur Political Prisoner.” One way to identify the documents as malicious is to look at the “author” field in the document properties. The value is “always ‘captain,’” Blasco said, adding that “captain” has been linked to similar attacks in the past.
This particular backdoor establishes an encrypted connection back to command-and-control servers and can also steal the user’s contacts lists. Even if the backdoor is discovered and removed quickly, the “attacker has a list of trusted contacts to spoof” with malicious emails in order to regain control of the computer, Raiu said. The attacker may also be attempting to identify other potential high-value targets this victim is connected to.
Raiu said some of the filenames were observed in 2012, but there was a “significant spike” in the attacks in January and February, indicating the attackers are currently active.
AlienVault linked one of the domain names for the C&C servers to 11 others found in other campaigns because they all had the same email address in the domain registration data. Researchers traced those 12 hostnames back to four IP addresses associated with a well-known California-based hosting company.
The particular bullet-proof hosting provider “ignores pretty much all shutdown requests,” Raiu said.
Macs have been hit by several of these types of campaigns, where attackers siphon out intellectual property and sensitive communications slowly over a long period of time. Users are reminded to patch software and operating system patches as soon as possible, and avoid clicking on links included in emails. Many of the attacks appear to come from a friend, work colleague or have some legitimate business purpose. “If you notice suspicious looking e-mails, it’s always a good idea to ask the sender if he actually sent you that document in the first place,” Raiu said.
Raiu also recommended using a Gmail account, if possible, since Google warns activists if the company detects possible nation-state sponsored attacks on the account and offers security protections such as two-factor authentication.