During the past year, Check Point Research (CPR), in cooperation with Kaspersky’s GReAT, have been tracking an ongoing attack targeting a small group of Uyghur individuals located in Xinjiang and Pakistan. Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups.
In this report, we examine the flow of both infection vectors and provide our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.
Our investigation began with a malicious document named UgyhurApplicationList.docx (MD5: a1d773621581981a94459bbea454cdf8), which carried the logo of the United Nations Human Rights Council (UNHRC), and contained decoy content from a United Nations general assembly discussing human rights violations.
Fig. 1 Delivery document carrying the UNHCR logo
After clicking on “Enable Editing”, a malicious external template is downloaded from officemodel[.]org. This template has embedded VBA macro code, which then checks the operating system’s architecture, and based on this proceeds to decode a 32-bit or a 64-bit payload.
Fig. 2 Malicious macros checking the operating system version
The payloads are embedded in the document itself and are base64 encoded. After the corresponding version is decoded, it is then named OfficeUpdate.exe and saved under the %TEMP% directory. In the two OfficeUpdate.exe samples we located, the payload was a shellcode loader which starts with basic evasion and anti-debugging techniques, by using functions such as sleep and QueryPerformanceCounter. The shellcode in both variants attempts to fetch a remote payload. In the first variant, we found the loaded shellcode attempted to connect to 185.94.189[.]207, where the second variant tried to connect to officemodel[.]org, even though it crashes during execution. Unfortunately, we were not able to retrieve the next stage payload for analysis.
The domain observed in the malicious document (officemodel[.]org) resolved to the same IP address as unohcr[.]org – a domain impersonating the Office of the United Nations High Commissioner for Human Rights (OHCHR). This overlap in resolution happened over a long period of time, from April to December 2020.
By pivoting on that infrastructure we were able to reveal another infection vector that was used in this operation: distribution through fake websites that host malicious executables targeting Windows users.
Fig. 3 Connection to additional domains
Another IP address that unohcr[.]org resolved to revealed a domain named tcahf[.]org, which hosted a website claiming to represent TCAHF – the “Turkic Culture and Heritage Foundation”.
TCAHF is supposedly a private organization that funds and supports groups working for “Tukric culture and human rights”, when in truth it is a made up entity, and most of its website’s content is copied from the legitimate opensocietyfoundations.org.
Fig. 4 Fake website (top) compared to the legitimate one
The malicious functionality of the TCAHF website is well disguised and only appears when the victim attempts to apply for a grant (see the added “Application” menu button in Fig. 4 above). The website then claims it must make sure the operating system is safe before entering sensitive information for the transaction, and therefore asks the victims to download a program to scan their environments. The website offers two download options, one for MacOS and one for Windows, but only Windows programs were available when we analyzed the website, and the MacOS version link served an empty file.
Fig. 5 Links to download a fake security scanner
During 2020, the fake TCAHF website served at least two variants of the Windows implants: one we refer to as WebAssistant which was available in May 2020, and another called TcahfUpdate which was available in October 2020.
Fake Website Infection Chain
The first payload we observed being downloaded from tcahf[.]org was called win.exe. This payload is an Installshield package that executes a Windows Installer (MSI) file that installs the WebAssistant application and drops four files.
Fig. 6 Execution flow of the WebAssistant application
The installer also registers a URL protocol handler for the sechk scheme: whenever a user is redirected to a URL which starts with sechk:// (instead of http:// for example), WebAssistant.exe will be executed.
Fig. 7 Registry value to handle “sechk” scheme under HKCR
This scheme appears in the source of the TCAHF website, and when the victim accesses different pages, a pop-up message asking to run the WebAssistant application is shown:
Fig. 8 A pop up to run WebAssistant due to the presence of “sechk” scheme
Unlike most malicious samples, WebAssistant does not attempt to conceal itself or hide its execution from the victim, as it is allegedly a security scanner that is required for the application process in the website to work. The WebAssistant installer creates four files, three of which were compiled by the attackers on May 21st, 2020. The files are saved under the C:\Program Files\WebAssistant\SecurityScan directory:
Legitimate library used to parse JSON objects
The main executable (WebAssistant.exe) has a graphical interface that is shown as a decoy to the victims, potentially allowing them to conduct the fake scan:
Fig. 9 WebAssistant’s user interface
When the victim presses the Scan button, the ThreadScanSystem method in the .NET binary is called. Unlike what its name suggests, this method does not really scan the system for security issues, but instead displays hardcoded strings informing the victim that everything is in order while it performs other actions in the background:
Fig. 10 Messages shown to the victim during the fake scan
First, ThreadScanSystem calls the CheckUpdate method and sends a GET request to the C2 server along with the following parameters action=update&app=WebAssistant/1.0&db=Database/1.0, and the server returns a JSON object:
Fig. 11 Communicating with the C2 server to check for pending updates
The JSON object is then parsed for certain fields such as appurl or dburl. The appurl field contains a URL to download another executable called Setup.exe, which is then saved to the TEMP directory. After downloading Setup.exe, WebAssistant runs it and displays its graphical component to the victim.
Fig. 12 Downloading and running Setup.exe
On the other hand, the dburl field in the JSON object contains a URL to download a library called WinDBProject.dll. This library exports three functions that are loaded by the WebAssistant binary: getWinDBVersion, winDBCheckVmProcess, and winDBCheckConflicts.
Fig. 13 Importing functions from the downloaded DLL
By default, those three functions are loaded from the WinInterface.dll library created by the installer, however each exported function in WinInterface.dll is simply a wrapper designed to execute a function with the same name in WinDBProject.dll. This means that without the additional downloaded DLL, the functions in WinDBProject.dll do not contain any logic of their own and we cannot see the full implementation. Unfortunately, we were unable to obtain both WinDBProject.dll and Setup.exe.
Fig. 14 Wrapper functions in WinInterface.dll
Following this, WebAssistant.exe proceeds to collect the following information about the infected system: the BIOS serial number, CPU information, and MAC address. It also collects a list of the running processes and a list of the installed programs. It is interesting to note that when the `WebAssistant application enumerates the running processes, it calls the winDBCheckVmProcess function imported from the downloaded DLL. The name of this function suggests that its purpose is to check if the result contains any processes associated with virtual machines, which might mean the malware is running in an emulated environment or by a researcher. In an attempt to evade detection, the attackers then stop the execution after displaying a message that the program cannot run inside a virtual machine.
Fig. 15 Checking if the application is running inside a virtual machine
Similarly, the list of installed programs is examined by the imported winDBCheckConflicts function to check for the existence of certain software on the system, and stop the execution if it is found. Although we do not know which programs are sought by winDBCheckConflicts, it is possible the attackers use it to evade AntiVirus solutions and security products that might otherwise detect the presence of their malicious activity. If no problematic process or software is encountered, the collected information (system information list, processes list, installed programs list) is then uploaded to the C2 server. Each one of the lists is encoded using base64, and added to a JSON object that is sent to tcahf[.]org/verify_.php?flag=false via a POST request.
POST hxxps://tcahf[.]org/verify_/.php?flag=false HTTP/1.1
Fig. 16 Uploading the collected data to the C2 server
Alternatively, if the WebAssistant application is executed as a result of the registered URL scheme sechk, the execution flow is quite similar to the one we already described. The main function checks if a load argument was provided (sechk://load), and if so calls two methods: initApp and globalScan. The globalScan method exfiltrates the same system information seen above, whereas the initApp schedules a Timer to collect and upload this data every half an hour.
Fig. 17 Timed event to exfiltrate system information
Lastly, another binary dropped by this installer is WindowsService.exe, which is a service that ensures the persistence of the malicious functionality and performs the same actions as WebAssistant.exe periodically.
TcahfUpdate replaced the previous WebAssistant implant and was available for download from the fake website during October 2020. TcahfUpdate is composed of three files: two are .NET executables created by the attackers and compiled in September 2020, while the third is a legitimate DLL library.
Legitimate library used to parse JSON objects
registration code to be used in the TCAHF website. Behind the scenes however, it behaves in a similar manner to the previously described WebAssistant variant. RegisterUI.exe is the user interface of the TcahfUpdate application, when the UI is loaded it triggers the collection of system information in the background, with some changes introduced from the older version.
Fig. 18 User interface of RegisterUi.exe
For example, in addition to the BIOS serial number, CPU information, and MAC address, this variant also adds the local system time to the stolen data. The data is then encrypted using AES with the encryption key A4DC55FAC1E4E512C07C1504FDC9B668, and is uploaded to the C2 server by appending it to the following URL: hxxps://www.tcahf[.]org/verify_.php?uuid=. The encrypted data is also used to generate the registration code displayed to the victim in the UI.
Fig. 19 Encrypting the stolen data using the “uuidEncode” method
As for the second executable, TcahfUpdateSvr.exe is a windows service that makes sure the malicious code is constantly running. It assigns RegisterUI.exe to be the handler of the tcahf:// protocol, so that it could be executed whenever the victim accesses a URL that begins with this scheme.
Moreover, it can fetch an additional payload by communicating with the C2 server using the hxxps://www.tcahf[.]org/cgi-bin/update.py?uuid=[DATA] URL along the user agent Certificate Update(For Windows)/1.0. As with the previous variant, the result from this request is a JSON object that may contain the Setup.exe executable. The executable is saved under the %TEMP% directory and executed with admin privileges:
Fig. 20 Downloading and running Setup.exe
Due to the nature of the malicious websites and the decoy content used in the delivery document, we can assess this campaign is intended to target the Uyghur minority or organizations supporting them. Our telemetry supported this assessment, as we have identified only a handful of victims in Pakistan and China. In both cases, the victims were located in regions mostly populated by the Uyghur minority.
Although we were unable to find code or infrastructure similarities to a known threat group, we attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, we noticed that some excerpts of the code were identical to VBA code that appeared in multiple Chinese forums, and might have been copied from there directly.
Fig. 21 Similar macro code in Chinese forum
While most of the activity described above happened during 2020, it appears the threat actor behind this campaign is still active in 2021, with two newly registered domains: malaysiatcahf[.]org and icislieri[.]com. These two domains resolved to the same IP address as officemodel[.]org, and the server responded only to the unique URLs we have previously observed in this campaign, further confirming the connection to this threat actor.
The second domain (icislieri[.]com) appears to be impersonating the Turkish Ministry of the Interior, but currently both domains redirect to the website of a Malaysian government body called the “Terengganu Islamic Foundation”. This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.
Our joint analysis of this previously unreported threat group, which first emerged in early 2020, shows an elaborate attack that has been taking advantage of different infection vectors to target supporters and members of the Uyghur minority.
The malicious executables created by the attackers exfiltrate basic information about the infected system, but can also download a second-stage payload, or in the case of the documents, fetch additional commands from the C2 server. This means that we have not yet seen all the capabilities of this malware, or the full course of action taken by the attackers following a successful infection.
Lastly, the fact that the attackers are still registering domains indicates this activity is still ongoing, and there might be new sightings or new variants of the malware in the near future.