During the last few days AlienVault and Kaspersky Labs have been investigating a new strain of spearphishing mails sent to the Uyghur community.
Below is Mr Blasco, Labs Director at AlienVaults’s findings and you can find screenshots here: http://labs.alienvault.com/labs/index.php/2013/cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-systems/
You can read Kaspersky's analysis here: https://www.securelist.com/en/blog/208194116/Cyber_Attacks_Against_Uyghur_Mac_OS_X_Users_Intensify
Cyber espionage campaign against the Uyghur community, targeting MacOSX systems
"The emails sent to the Uyghur community contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered in the past.
During the last year we reported a couple of attacks targeting Uyghurs:
New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT
Similar attacks have been reported against other ethnic groups like the Tibetan people and other NGOs and human rights organisations:
- Targeted attacks against Tibet organizations
- MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT
They have even used our research as lure to target non-governmental organizations.
Some of the filenames used in this campaign are:
- WUC Hacking Emails.doc
- Concerns over Uyghur People.doc
- Hosh Hewer.doc
- Jenwediki yighingha iltimas qilish Jediwili.doc
- Jenwediki yighingha iltimas qilish Jediwili.doc
- list.doc
- Press Release on Commemorat the Day of Mourning.doc
- The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
- Uyghur Political Prisoner.doc
- Deported Uyghurs.doc
- Kadeer Logistics detail.doc
- Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
An easy way to identify the documents is to look for the “author” of the document that is always “captain”. This author has been used several times in the past to perform similar attacks.
Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory