Attackers with a control infrastructure based in China are leveraging the same vulnerability exploited by Miniduke to attack Uyghur and Tibetan activists with new exploits.
Researchers at Kaspersky Lab and AlienVault discovered a spear phishing campaign targeting non-governmental activists with PDF files rigged to exploit CVE-2013-0640, the first confirmed sandbox bypass for Adobe Reader.
The malicious PDFs pretend to be a New Year’s party invitation and an authorization form requesting some sort of reimbursement for a Tibetan activist group. Once executed, a dropper lands on the victim’s machine and communicates with the command and control server located in the Shandong province of China. From there, the C&C server installs a remote access Trojan on the compromised machine.
“[The RAT] lets [the attacker] access the victim’s system to do virtually everything they want: stealing documents, uploading more malware,” said AlienVault Labs manager Jaime Blasco. “And of course, they can upload new modules to expand the functionalities if they require more.”
While this campaign exploits the same flaw in Adobe Reader as MiniDuke—the vulnerability was patched Feb. 20—there are differences in the two attacks. MiniDuke was used primarily against government agencies in Europe, and relied on steganography to hide backdoor code, and on Twitter posts to connect to servers hosting backdoor code. While these new attacks also concentrate on stealing data, part of the malware is signed with a compromised certificate and the location of the C2 server also differs from Miniduke.
“Based on the exploit code and the payloads that are being used in the attack, it is clear that the group is a different one,” Blasco said. “Also the infrastructure is completely different and the modus operandi is very close to a few campaigns we have tracked in the past that were targeting mainly NGOs and other activists outside China.”
The Uyghur, much like the Tibetans, have been a frequent target for attackers inside of China. Espionage campaigns targeting the Turkic ethnic group have been escalating in recent weeks and have followed a similar pattern. In mid-February, a spear phishing campaign was spotted targeting the group with malicious Microsoft Word documents that exploited a buffer overflow vulnerability discovered and patched in 2009. Attacks against Mac OS X users were also detected last summer that would give attackers remote control of Mac computers in order to access and steal files.
In this campaign, the same group appears to be targeting the Uyghur and Tibetans simultaneously; Kaspersky Lab senior security researcher Costin Raiu said the connection could be a human rights conference taking place this week in Geneva.
“It is not that rare [both are targeted together], but it is true that most of the times they use different campaigns to target different groups,” Blasco said. “In the past, we also found similar patterns across campaigns targeting both Uyghur and Tibet people.”
Researchers found three different filenames for the PDF exploits: 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf; 联名信.pdf; and arp.pdf. Raiu and Blasco said the Javascript code inside the PDFs resembles MiniDuke, minus some of the initial variables and obfuscation.
The malware dropped by the PDFs is detected by Kaspersky as Trojan.Win32.Agent.hwoo and .hwop. The dropper creates an executable in a local file called AcroRd32.exe; when that file executes, it drops a small backdoor that connects to the command and control at 60[.]211[.]253[.]28. Both domains connect to that IP address which was registered by the same party located in Shandong. The data-stealing part of the payload is detected as Trojan.Win32.Swisyn.
While these attacks seem to be pretty rudimentary espionage-type campaigns, it quickly adopted new capabilities such as the sandbox-bypass vulnerability.
“Due to this advanced capability, it is extremely valuable to any attacker,” Kaspersky’s Raiu said. “Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.”