Human Rights and Malware Attacks
by Nart Villeneuve
On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to visit a compromised website that contained malicious code designed to allow the attackers to ultimately take full control of the visitor’s computer. These targeted malware attacks are now becoming commonplace, further extending the threat faced by civil society organizations.
One of the domains used in this attack, humanright-watch.org, has been used in a variety of attacks and has been documented by Mila at contagiodump.blogspot.com.
Internet censorship is but one component of “a matrix of control” that acts to restrict and control information flow in China. The combination of censorship along with surveillance aims to influence behavior toward self-censorship so that most will not actively seek out banned information, let alone the means to bypass these controls. Those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats—not simply censorship.
A 2008 report titled Breaching Trust: An Analysis of Surveillance and Security Practices on China’s TOM-Skype Platform uncovered that Skype and its Chinese partner Tom Online operated a surveillance network which insecurely captured millions of records including contact details for any text chat and/or voice calls and the full text of sensitive chat messages. A large portion of these captured messages concerned a political campaign that urged Chinese citizens to quit the Communist Party.
There have been an increasing number of targeted malware attacks against civil society organizations, human rights groups, media organizations, and Tibetan supporters. Typically, the targeted user receives an email, possibly appearing to be from someone they know who is a real person within his or her organization, with some text—sometimes specific, sometimes generic—that urges the user to open an attachment (or visit a web site), usually a PDF or Microsoft Office document .
If the user opens the attachment with a vulnerable version of Adobe Reader or Microsoft Office (other types of software are also being exploited) and no other mitigations are in place, their computer will likely be compromised. A clean version of the document is typically embedded in the malicious file and is opened upon successful exploitation so as not to arouse suspicion of the recipient.
Then the user’s computer checks in with a command and control server. At this point, the attacker has full control of the user’s system. The attacker can steal documents, email and send other data, or force the compromised computer to download additional malware and possibly use the infected computer as a mechanism to exploit the victim’s contacts or other computers on the target network.
In the last year, the Information Warfare Monitor has uncovered two cyber-espionage networks, investigated numerous targeted malware attacks, and published two reports: Tracking GhostNet: Investigating a Cyber Espionage Network and Shadows in the Cloud: An Investigation into Cyber Espionage 2.0.
The first, GhostNet, was a network of over 1200 compromised computers spread across 103 countries, 30 percent of which we identified and determined to be “high-value” targets, including ministries of foreign affairs, embassies, international organizations, news organizations, and a computer located at NATO headquarters. While we were able to determine that these entities had been compromised, we were only able to theorize about what type of data the attackers were able to acquire.
Our follow-up investigation uncovered the Shadow Network, and unlike GhostNet we were able to acquire the data stolen by the attackers. We were able to access just one portion of the Shadow Network that was primarily focused on extracting sensitive information from India. We recovered a wide variety of documents, including one document that appeared to be encrypted diplomatic correspondence, two documents marked “SECRET,” six as “RESTRICTED,” and five as “CONFIDENTIAL” which appear to belong to Indian government entities including the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.
The nature of the compromised entities and the data stolen by the attackers do indicate correlations with the strategic interests of the People’s Republic of China, but, we were unable to determine any direct connection between these attackers and elements of the Chinese state.
On March 18, 2010, attackers sent a “spear phishing” email that appeared to originate from Sharon Hom’s email account to several different organizations and individuals. The subject of the email was “Microsoft, Stool Pigeon for the Cops and FBI” and the email contained a JPG attachment. However, the attackers’ objective was for the targets to visit the link contained in the email. The link, www.cfcr2008.org, redirected to cfcr.i1024.com which was compromised by the attackers and in which they had inserted code that caused visitors to the website to open a malicious PDF from www.520520.com.tw. This PDF exploited Adobe Reader and compromised the visitors computer. Compromised computers then connected to a website under the attackers’ control, www.humanright-watch.org, and downloaded additional malware before ultimately connecting to a command and control server, 360liveupdate. com, in China.
: Sharon Hom <mailto:email@example.com>
: [REDACTED] Sent
: Thursday, March 18, 2010 9:46 AM
: Microsoft, Stool Pigeon for the Cops and FBI
I’ve got my hands on a copy of the leaked, confidential Microsoft “Global Criminal Compliance Handbook,” which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on. Attachments are scanned copies of documents.
For the whole documents, please visit http://www.cfcr2008.org
Although the email appeared to be from HRIC it was actually sent from the following location:
: firstname.lastname@example.org <mailto:email@example.com>
: from mail.idcsea.com.cn (mail.idcsea.com.cn [220.127.116.11]) X-mailer
: Foxmail 5.0 [cn]
The email headers reveal that the attackers actually sent the email from the following IP address:
OrgName: DCS Pacific Star, LLC
Address: 5050 El Camino Real, #238
City: Los Altos
The email encouraged recipients to visit cfcr2008.org, the website of an organization called the Coalition for Citizen’s Rights. This organization is a vocal opponent of the Chinese government.
The attackers compromised the website and inserted malicious code that caused vulnerable visitors to silently load a malicious PDF document that infected the users computer with malware.
Image 1 Compromised site: cfcr2008.org -> cfcr.i1024.com
Image 2 js_men.asp
The malicious PDF was hosted on www.520520.com.tw (18.104.22.168), a website located in Taiwan. This malicious file has very low antivirus coverage. Only eight out of forty-two anti-virus products detected the file as malware.
Virustotal: 8/42 (19.05%)
The malware dropped by the malicious PDF issued another connection, this time to www.humanright-watch.org (22.214.171.124). This is a server under the control of the attackers. The malware made a request for another executable, which appeared to be encrypted and which no antivirus products detected as malicious.
GET /fun.exe HTTP/1.1
Virustotal: 0/42 (0%)
Interestingly, the IP address of www.humanright-watch.org (126.96.36.199) is assigned to the same company, DCS Pacific Star, LLC, as the IP address used to send the malicious email (188.8.131.52).
The new malware downloaded from www.humanright-watch.org (184.108.40.206) began encrypted communications with a command and control server located in China at 360liveupdate.com(220.127.116.11).
The command and control server is located in Jiangsu Province, China:
inetnum: 18.104.22.168 – 22.214.171.124
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
The nexus of censorship, surveillance, and malware attacks enable strict information control policies in China that extend beyond China’s boundaries to affect civil society organizations around the world. An increasing number of targeted malware attacks against civil society organizations are being reported. In many cases, the attacks can be traced back to command and control infrastructure located in China. These attacks leverage trust among members of social and political networks using human rights themes and spoofed identities to encourage targeted users to execute malicious code. From that point, unknown attackers have full control over the users’ computers and can conduct surveillance, exfiltrate sensitive information, and use the computer as a staging ground for future attacks.
The original version of this article is available here and in Chinese here.