Attackers with a control infrastructure based in China are leveraging the same vulnerability exploited by Miniduke to attack Uyghur and Tibetan activists with new exploits.

Researchers at Kaspersky Lab and AlienVault discovered a spear phishing campaign targeting non-governmental activists with PDF files rigged to exploit CVE-2013-0640, the first confirmed sandbox bypass for Adobe Reader.

The malicious PDFs pretend to be a New Year’s party invitation and an authorization form requesting some sort of reimbursement for a Tibetan activist group. Once executed, a dropper lands on the victim’s machine and communicates with the command and control server located in the Shandong province of China. From there, the C&C server installs a remote access Trojan on the compromised machine.

“[The RAT] lets [the attacker] access the victim’s system to do virtually everything they want: stealing documents, uploading more malware,” said AlienVault Labs manager Jaime Blasco. “And of course, they can upload new modules to expand the functionalities if they require more.”

While this campaign exploits the same flaw in Adobe Reader as MiniDuke—the vulnerability was patched Feb. 20—there are differences in the two attacks. MiniDuke was used primarily against government agencies in Europe, and relied on steganography to hide backdoor code, and on Twitter posts to connect to servers hosting backdoor code. While these new attacks also concentrate on stealing data, part of the malware is signed with a compromised certificate and the location of the C2 server also differs from Miniduke.

“Based on the exploit code and the payloads that are being used in the attack, it is clear that the group is a different one,” Blasco said. “Also the infrastructure is completely different and the modus operandi is very close to a few campaigns we have tracked in the past that were targeting mainly NGOs and other activists outside China.”

The Uyghur, much like the Tibetans, have been a frequent target for attackers inside of China. Espionage campaigns targeting the Turkic ethnic group have been escalating in recent weeks and have followed a similar pattern. In mid-February, a spear phishing campaign was spotted targeting the group with malicious Microsoft Word documents that exploited a buffer overflow vulnerability discovered and patched in 2009. Attacks against Mac OS X users were also detected last summer that would give attackers remote control of Mac computers in order to access and steal files.

In this campaign, the same group appears to be targeting the Uyghur and Tibetans simultaneously; Kaspersky Lab senior security researcher Costin Raiu said the connection could be a human rights conference taking place this week in Geneva.

“It is not that rare [both are targeted together], but it is true that most of the times they use different campaigns to target different groups,” Blasco said. “In the past, we also found similar patterns across campaigns targeting both Uyghur and Tibet people.”

Researchers found three different filenames for the PDF exploits: 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf; 联名信.pdf; and arp.pdf. Raiu and Blasco said the Javascript code inside the PDFs resembles MiniDuke, minus some of the initial variables and obfuscation.

The malware dropped by the PDFs is detected by Kaspersky as Trojan.Win32.Agent.hwoo and .hwop. The dropper creates an executable in a local file called AcroRd32.exe; when that file executes, it drops a small backdoor that connects to the command and control at 60[.]211[.]253[.]28. Both domains connect to that IP address which was registered by the same party located in Shandong. The data-stealing part of the payload is detected as Trojan.Win32.Swisyn.

While these attacks seem to be pretty rudimentary espionage-type campaigns, it quickly adopted new capabilities such as the sandbox-bypass vulnerability.

“Due to this advanced capability, it is extremely valuable to any attacker,” Kaspersky’s Raiu said. “Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.”

Categories: Malware, Vulnerabilities

Comments (3)

  1. Illetrorb
    1

    Children’s tooth development begins while the baby is in the womb. Teething usually occurs between the ages of six and nine months. Children usually have their full set of 20 primary teeth (milk teeth, baby teeth or deciduous teeth) by the age of three years. At about the age of six years, the first permanent teeth erupt (push through the gum).

  2. Brernrora
    2

    A tooth (plural teeth) is a cheap, calcified, whitish build ground in the jaws (or mouths) of innumerable vertebrates and worn to defeat down food. Some animals, strikingly carnivores, also exercise teeth in behalf of hunting or for defensive purposes. The roots of teeth are covered sooner than gums. Teeth are not made of bone, but degree of multiple tissues of varying density and hardness.

    The ordinary structure of teeth is alike resemble across the vertebrates, although there is sizeable converting in their show up and position. The teeth of mammals drink deep roots, and this design is also found in some fish, and in crocodilians. In most teleost fish, however, the teeth are spoken for to the outer surface of the bone, while in lizards they are attached to the inner interface of the jaw by harmonious side. In cartilaginous fish, such as sharks, the teeth are attached around perplexing ligaments to the hoops of cartilage that accumulate the jaw.

  3. Brernrora
    3

    A tooth (plural teeth) is a cheap, calcified, whitish build ground in the jaws (or mouths) of innumerable vertebrates and worn to defeat down food. Some animals, strikingly carnivores, also exercise teeth in behalf of hunting or for defensive purposes. The roots of teeth are covered sooner than gums. Teeth are not made of bone, but degree of multiple tissues of varying density and hardness.

    The ordinary structure of teeth is alike resemble across the vertebrates, although there is sizeable converting in their show up and position. The teeth of mammals drink deep roots, and this design is also found in some fish, and in crocodilians. In most teleost fish, however, the teeth are spoken for to the outer surface of the bone, while in lizards they are attached to the inner interface of the jaw by harmonious side. In cartilaginous fish, such as sharks, the teeth are attached around perplexing ligaments to the hoops of cartilage that accumulate the jaw.

Comments are closed.