Tibetan, Uyghur activists fall victim to MiniDuke malware

Activists for Tibet and China’s Uyghur community are being targeted with an Adobe PDF vulnerability using the MiniDuke malware
Activists for Tibet and China’s Uyghur community are being targeted with an Adobe PDF vulnerability using the MiniDuke malware

In late February, Government officials in more than 20 countries were the victims of an Adobe-based exploit that hackers have used to drop the MiniDuke malware, tasked with stealing intelligence from political targets. Kaspersky Lab uncovered attacks on the governments of Ireland, Romania, Portugal, Belgium and the Czech Republic, along with a research foundation in Hungary, two think-tanks and a healthcare provider in the US. In all, there were 59 unique victims in 23 countries.

Now, Kaspersky and AlienVault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations, but with the same aim of cyber-espionage.

“Based on the samples we found we believe this group has been running a spearphishing campaign from the last few weeks,” AlienVault researcher Jaime Blasco noted in the company blog. The files that have been analyzed are PDF files that contain code to exploit CVE-2013-0640 – a vulnerability that Adobe patched last month.

Once the victim opens the file, the system becomes infected and a lure document is displayed. PDF lures include a document titled 2013-Yilliq Noruz Bayram Merik isige Teklip.pdf, and refers to a New Year's party invitation. A second one, "arp.pdf", is an authorization to request a reimbursement for a Tibetan activist group. All documents drop the same malware, detected by Kaspersky as Trojan.Win32.Agent.hwoo and Trojan.Win32.Agent.hwop.

“This is one of the rare cases when the same threat actor hits both Tibet and Uyghur activists at exactly the same time,” wrote Costin Raiu and Igor Soumenkov at Kaspersky Lab. “It is possible this was done in regards to a human rights conference which is taking place in Geneva between 11–13 March, 2013.”

At the moment, all involved domains point to the same IP address: 60.211.253.28. The server is located in China, in Shandong province, Kaspersky researchers noted.

The MiniDuke malware employs encrypted backdoors in compromised systems that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine, they can fetch a larger backdoor that carries out the cyberespionage activities, through functions such as copy file, move file, remove file, make directory, kill process and, of course, download and execute new malware and lateral movement tools.

“The PDF exploit originally discovered by FireEye is the first known exploit capable of bypassing the Adobe Reader X sandbox. Due to this advanced capability, it is extremely valuable to any attacker,” the Kaspersky analysts wrote. “Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.”

Chinese hacktivists have long been suspected of using malware to attack activists who support Tibet as well as the Uyghurs, which are a Turkic, Muslim ethnic group living in Eastern and Central Asia and China. Like Tibetan activists, they consider themselves autonomous, and in recent months have been finding themselves in several skirmishes with the Han, who comprise 92% of China’s population. They mostly live in an autonomous region in northwestern China.

AlienVault and Kaspersky Lab in the last year have reported multiple attacks targeting Uyghurs, including a MaControl variant and a Windows version using Gh0st RAT.

What’s Hot on Infosecurity Magazine?