Windows Backdoor Targets Members of Exiled Uyghur Community

A China-backed threat group targeted members of the World Uyghur Congress (WUC) with a Trojanized version of legitimate open source software as part of ongoing cyberattacks against the ethnic group.

Researchers at the University of Toronto's The Citizen Lab discovered a spear-phishing campaign in March aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets through a word processing and spell-checking tool that's intended to support the use of the Uyghur language.

The malware used in the campaign, which appeared to be active since May 2024, was not particularly advanced; however, its delivery was well customized to reach its targets, according to a blog post published yesterday.

"The ruse employed by the attackers replicates a typical pattern: threat actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities," The Citizen Lab's researchers wrote in the post.

While The Citizen Lab did not identify specifically the culprit behind the attack, the researchers believe a China-sponsored threat group is likely behind it given historical precedence. The lab's investigation and reporting of the campaign once again calls out the "ongoing threats of digital transnational repression" facing the Uyghur diaspora to intimidate and silence them, something that Chinese state-sponsored actors long have done within their own country as well as other regions.

Related:After Pahalgam Attack, Hacktivists Unite Under #OpIndia

Malicious Google Drive Links

The WUC is an international nongovernmental umbrella organization representing more than 30 Uyghur groups distributed across 18 countries. The congress is aimed at advancing Uyghur human rights both in China and abroad and is headquartered in Munich, which hosts a large European Uyghur community.

The threat campaign began in mid-March with Google notifications sent to members of the WUC living in exile that warned their accounts had been the subject of government-backed attacks.

The attacks came in the form of a spear-phishing email containing Google Drive links delivered to some members impersonating a trusted contact at a partner organization. The message asked the recipient to download and test Uyghur-language software. When clicked, the links downloaded a password-protected RAR archive containing a Trojanized version of a legitimate open source Uyghur language text editor, UyghurEditPP.

Backdoor Behavior

Once executed, the backdoor profiles the system, collects data, and sends system information to a remote server. It also can potentially load additional malicious plug-ins. Data collected by the targeted device includes machine name; user name; IP address; OS version; and MD4 hash of the machine name, user name, and hard disk serial number.

Related:'Lemon Sandstorm' Underscores Risks to Middle East Infrastructure

If the device is found to belong to a person of interest, the backdoor also can download files from the targeted device, upload files to it, and run commands against plug-ins uploaded to the device.

Though the malware comes disguised as a legitimate Windows tool, its certificate, which was valid as of June 4, 2024, holds clues to its malicious intent, the researchers noted.

"The certificate impersonates Microsoft and has a negative number as a Serial Number, in addition to numerous other oddities," they observed. "The combination of a deprecated TLS version, a weak cryptographic key, and a serial number that is non-compliant with various modern standards, such as RFC 5280, all indicate that this is not a certificate that is meant for legitimate use."

The certificate also was seen on four IP addresses that all belong to the same autonomous system, managed by US-based hosting provider Choopa LLC and "frequently abused by threat actors," according to The Citizen Lab. The researchers also said the attackers moved infrastructure for the campaign several times since it started in June. The most recent sighting of the certificate was on April 11 at the IP linked to anar[.]gleeze[.]com, the backdoor's backup command-and-control (C2) server.

Related:Play Ransomware Group Used Windows Zero-Day

Ongoing Targeting of Ethic Communities

China has long used cyberattacks to harass and surveil Uyghurs and other ethnic minorities that the government views as a threat, including Tibetan, Taiwanese, and Turkic people. These minorities and other marginalized groups should be aware of signs they are being targeted via spear-phishing and other malicious activity, the researchers noted.

The Citizen Lab made typical recommendations to those at risk to avoid inadvertently downloading malware, such as being sure to download software or applications only from an official source and not from links in emails or shared on social media "that point to file-sharing sites or unfamiliar domains."

The researchers also recommended looking for code-signing certificates or a message that software is from a "verified publisher" or "notarized" before downloading a file. "If you see a warning that the software publisher is 'unknown,' think twice before installing — it could be a red flag," the researchers warned.

Potential targets also can look out for typosquatting or domain impersonation by cross-referencing the legitimate site of a software provider such as Microsoft with the company or developer's verified social media, documentation, or other reputable sources.