A California-based news website covering China, called China Digital Times, was targeted in a spying campaign that involved phishing lures and the use of the NetWire remote access Trojan.
The attacks began in February 2017 and were part of a wider campaign of phishing, reconnaissance and malware operations that used domains and content made to mimic other Chinese-language news websites including China Digital Times, Epoch Times, Mingjing News, HK01 and Bowen Press.
According to an investigation by the Munk School of Global Affairs at the University of Toronto’s Citizen Lab, published Wednesday, the attacks were similar to previous malware campaigns targeting a Tibetan radio station and the Thai government.
One phishing attack targeting China Digital Times (CDT) included an email claiming to come from a University of California Berkeley student with a news tip. “I have insider information that is different from what you’ve published,” the email read and included a link. When clicked the link delivers an article from a spoofed version of the news site CDT.
“Clicking on the link displays the article with a pop-up message asking the journalist to enter their username and password in prompt designed to look like a WordPress login page,” Citizen Lab wrote. “The real CDT website runs on WordPress, and therefore the purpose of this phishing campaign is to steal credentials to the actual CDT website and gain access.”
A second phishing attempt to lure CDT staff to a spoofed version of the news website Mingjing News was also attempted. This spoofed page did not include malicious content but was believed to serve the purpose of determining whether or not a target would click on the link.
The attempts to trick China Digital Times did not work but did tip Citizen Lab researchers off to details of other aspects of a larger phishing campaign perpetrated by the same threat actors. By examining WHOIS registration data, researchers uncovered additional domains spoofing Epoch Times, HK01 and Bowen Press.
According to researchers, attackers “used domains and copied content that masqueraded as Epoch Times, Mingjing News, HK01, and Bowen Press.” While each of these sites report on China, Citizen Lab said it’s unclear whether or not those news websites were targeted or who may have been behind the attacks in the first place.
Of the domains spoofed, the HK01 and Bowen Press websites contained links to the NetWire malware payload, Citizen Lab reported. NetWire is a Trojan known for its ability to collect stored username and passwords from targeted systems as well as plant keyloggers, take screen shots and capture audio.
Visitors to the spoofed HK01 website saw a front page identical to HK01, except the site’s center content block is blank. The visitor is then prompted to update their Adobe Flash Player with the message “Adobe Flash Player this version is outdated. Please click.”
“Clicking this link initiates a download of an executable and then forwards the user to the legitimate Adobe update site,” researchers said. That first executable is a dropper program designed to pull down the NetWire RAT payload.
Further analysis by researchers pinpointed four unique malicious files in the “Adobe Flash Player update” directory. Each file has the same objective: delivering the dropper. Each file is packed with VMProtect, software used to obfuscate source code to make analysis and reverse engineering more difficult, according to researchers.
As for malware hosted on the spoofed Bowen Press website, Citizen Lab said, those instances were not immediately present at the time of analysis. The site’s front page, similar to HK01, was missing content. An analysis of the spoofed site’s history revealed the site at one time did serve up malware.
“The use of this URL path further suggests that the fake Bowen Press domain and content were used to serve malware at some point,” researchers said.
Researchers acknowledge that several news organizations that report on China have also been targeted in the past by phishing and malware campaigns.
“In 2009, as part of the GhostNet investigation, Citizen Lab found that China-based operators had infiltrated the mail servers of Associated Press offices in London and Hong Kong,” researchers wrote.
They add, Reuters, the Strait Times, The New York Times and Agence France Presse have also reported past intrusions by hackers believed to be sponsored by China.
Citizen Lab couldn’t concretely link the most recent attacks it observed to China however.
“These news websites report on issues sensitive to the government of China and are blocked in the country. However, this report does not conclusively attribute the campaign to a publicly reported threat actor or state sponsor,” the researchers wrote.