A new phishing campaign targeting the Uyghur community residing outside China has come to light. The campaign is sending Uyghur targets links to an open-source Uyghur text editor, which also contains malware that allows threat actors to open a backdoor on the victim’s PC, extract sensitive information, and install additional malware.
Citizen Lab researchers report claims that the campaign is targeting members of the World Uyghur Congress (WUC) living in exile in foreign countries. Although the malware itself isn’t particularly advanced, the delivery mechanism is “extremely well customised to reach the target population,” the report adds.
As for the trojanised app, it’s called UyghurEditPP and was created by a developer known to the WUC. The developer has also worked on optical character recognition (OCR) and speech recognition software for the Uyghur language. The threat actors exploited this trusted relationship to impersonate a “trusted contact at a partner organisation and contained Google Drive links that, if clicked, would download a password-protected RAR archive.”
Once the victim extracts the archive and runs the program, the malware hops into action and opens a backdoor. Using this, threat actors can collect information about the device, upload data to a command and control server, and download other files, including malware, to further compromise the infected device.
Fortunately, the targeted WUC members were already aware of the campaign through Google, and the malware did not involve any zero-day exploits or “mercenary spyware.”
The campaign isn’t an isolated incident either. Researchers claim that this incident is part of a “broader practice used by authoritarian states called digital transnational repression.” The threat actors behind the campaign haven’t been identified yet, but Citizen Labs reports that the Chinese government has previously used similar tactics to target the Uyghur community.
In the News: Over 30,000 Australian banking credentials stolen
