An extensive campaign has surfaced that targets Windows users belonging to a specific Asian religious and ethnic group. The attack making use of a series of watering-hole websites and a drive-by download gambit relying on fake Flash updates.
According to analysis from Kaspersky, released on Tuesday, the websites in question are legitimate sites that were compromised to selectively trigger a drive-by download attack. There are almost 10 compromised websites in all, researchers said, belonging to high-profile personalities within the target group, public bodies, charities and other organizations. The security firm said that some of the sites (all hosted on the same server) are still compromised, and continue to carry out the campaign.
While the Uighurs – an ethnic and religious minority in China – have been the targets of multiple cyberattacks and surveillance in the past, the firm said that it couldn’t reveal the identity of the target group.
“Unfortunately, at this moment we cannot share anything in addition to what has been shared already,” the Kaspersky research team told Threatpost, via email. “We are ready to share relevant the information we have on those attacks with any group/organization that feels it may become a target of this campaign, and that we’ve also been hard at work trying to contact the victims we know of.”
Looking under the hood, the effort (which Kaspersky said has been active since at least May 2019) turns out to be a multi-stage affair that uses a variety of open-source development tools.
It kicks off with a first-stage JavaScript line of code that’s automatically served by the website, according to the analysis. It’s named (script|jquery)-css.js, and is obfuscated with the Chinese-language web service Sojson, version 4. Its job is to fingerprint visitors to the watering hole to see if they’re targets for the next stages of the attack – it collects target information and sends it via HTTP GET requests to a remote server, which returns a JSON-formatted response of either “true” or “false.”
If the answer is “true,” this triggers the loading of a second-stage JavaScript.
The second JavaScript stage is named (script|jquery)-file.js, and is obfuscated with Sojson version 5, according to the research. The purpose of this code is to surface a pop-up to website visitors that encourages them to download a supposed “update” for Flash player.
The purported update is actually a file hosted on a GitHub repository. If the website visitor falls for the fake prompt and clicks “install,” four different executables are downloaded to the victim’s machine.
Kaspersky said that these include an installer package that includes a decoy, legitimate Flash update and a stager. However, the Flash update is no longer valid, so it will fail with a message stating that the installer is outdated or renamed, and will direct the user to the Adobe website, according to the analysis.
The second file is a module called “Godlike12,” which is a backdoor written in the Go language that sets up a command-and-control (C2) channel and proceeds with host fingerprinting upon startup (hostname, IP address, MAC address, Windows version, current time, Kaspersky researchers wrote). It also regularly checks for a remote [ID]-cs.txt, which contains encrypted commands for it to carry out. The most interesting thing about the implant is the fact that it exchanges files with a Google Drive space in order to communicate.
And finally, there are two versions of the open-source Stitch Python backdoor that are installed, Kaspersky said. Stitch is a remote-shell program that establishes a direct socket connection with the C2 to exchange AES-encrypted data with the remote server; in this case though, both backdoors have been customized to add persistence, an auto-update function, and decoy download and execution capabilities.
“Threat actors wrapped Stitch with custom Python code to perform additional operations,” according to the Kaspersky write-up. “It downloads a legitimate Adobe Flash installation program from the C2 server at startup; it auto-updates the backdoor from ubntrooters.serveuser[.]com at startup; [and] it ensures persistence through schtasks [T1053] with a logon task named AdobeUpdater pointing to C:\ProgramData\package\AdobeService.exe.”
Taken in all, the operation appears to be under constant development – albeit of a not-that-sophisticated nature in the security firm’s estimation.
“The attackers have set up a sizable yet very targeted water-holing attack,” the researchers concluded. “The toolset that’s being used seems low-budget and not fully developed, but has been modified several times in a few months to leverage interesting features like Google Drive C2, and would be characteristic of a small, agile team.”
Though the team was unable to correlate the attacks to any known APT groups, the attackers could be of Chinese origin, Kaspersky noted. For one, the encryption function in the Go-language implant “seems to have been inspired from existing open-source code, which mainly appears popular in Chinese-language forums,” according to the research.
Also, “Source-file paths in the code suggest this backdoor may have been developed on a GNU/Linux system,” the analysis continued. “The not-so-common (less than 100 results in a popular search engine) /root/gowork GOPATH that some of this backdoor’s modules have been compiled from seems popular in Chinese-speaking communities, and may originate from a Chinese-authored tutorial on Go language.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.