United Nations (UN) branding is being abused in a campaign designed to spy on Uyghurs. 

Potential victims are sent phishing documents branded with the United Nations’ Human Rights Council (UNHRC) logo. Named UgyhurApplicationList.docx, with decoy

Dubbed “OfficeUpdate.exe,” the file is shellcode that fetches and loads a remote payload, but at the time of analysis, the IP was unusable. However, the domains linked to the malicious email attachment expanded the investigation further to a malicious website used for malware delivery under the guise of a fake human rights organization.

screenshot-2021-05-26-at-16-17-33.png

The “Turkic Culture and Heritage Foundation” (TCAHF) domain claims to work for “Tukric culture and human rights,” but the copy has been stolen from opensocietyfoundations.org, a legitimate civil rights outfit.

Both domains redirect to the website of a Malaysian government body called the Terengganu Islamic Foundation,This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.

This website, directed at Uyghurs seeking funding, tries to lure visitors into downloading a “security scanner” prior to filing the information required to apply for a grant. However, the software is actually a backdoor. They are most likely Chinese-speaking and are still active, with new domains registered this year to the same IP address connected to past attacks. 

Victims have been located in China and Pakistan in regions mostly populated by Uyghurs.