During the past year, Check Point Research (CPR), in cooperation with Kaspersky’s GReAT, have been tracking an ongoing attack targeting a small group of Uyghur individuals located in Xinjiang and Pakistan. Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups.
In this report, we examine the flow of both infection vectors and provide our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.
Our investigation began with a malicious document named UgyhurApplicationList.docx (MD5: a1d773621581981a94459bbea454cdf8), which carried the logo of the United Nations Human Rights Council (UNHRC), and contained decoy content from a United Nations general assembly discussing human rights violations.
Fig. 1 Delivery document carrying the UNHCR logo
After clicking on “Enable Editing”, a malicious external template is downloaded from officemodel[.]org. This template has embedded VBA macro code, which then checks the operating system’s architecture, and based on this proceeds to decode a 32-bit or a 64-bit payload.
Fig. 2 Malicious macros checking the operating system version
The payloads are embedded in the document itself and are base64 encoded. After the corresponding version is decoded, it is then named OfficeUpdate.exe and saved under the %TEMP% directory. In the two OfficeUpdate.exe samples we located, the payload was a shellcode loader which starts with basic evasion and anti-debugging techniques, by using functions such as sleep and QueryPerformanceCounter. The shellcode in both variants attempts to fetch a remote payload. In the first variant, we found the loaded shellcode attempted to connect to 185.94.189[.]207, where the second variant tried to connect to officemodel[.]org, even though it crashes during execution. Unfortunately, we were not able to retrieve the next stage payload for analysis.
The domain observed in the malicious document (officemodel[.]org) resolved to the same IP address as unohcr[.]org – a domain impersonating the Office of the United Nations High Commissioner for Human Rights (OHCHR). This overlap in resolution happened over a long period of time, from April to December 2020.
By pivoting on that infrastructure we were able to reveal another infection vector that was used in this operation: distribution through fake websites that host malicious executables targeting Windows users.
Fig. 3 Connection to additional domains
Another IP address that unohcr[.]org resolved to revealed a domain named tcahf[.]org, which hosted a website claiming to represent TCAHF – the “Turkic Culture and Heritage Foundation”.
TCAHF is supposedly a private organization that funds and supports groups working for “Tukric culture and human rights”, when in truth it is a made up entity, and most of its website’s content is copied from the legitimate opensocietyfoundations.org.