Emails from selected entities using a JavaScript loophole injected into a webmail scheme typically used in Taiwan have been exfiltrated by a recently discovered malware attack campaign.
The attacks are related to Earth Wendigo, a threat agent who does not seem to be aligned with established hacking organisations, according to an advisory from Trend Micro.
Earth Wendigo has attacked numerous organisations, including government agencies, academic centres, and universities in Taiwan, beginning in May 2019, Trend Micro said.
The attacks include the use of spear-phishing emails to numerous targets, including Tibet, the Uyghur region, or Hong Kong-related politicians and activists.
The group used spear-phishing emails containing obfuscated JavaScript code as an initial attack vector to load malicious scripts from a remote server operated by the attacker.
These scripts were designed to steal browser cookies and webmail session keys, spread the infection by adding code to the email signature of the user, and exploit a JavaScript injection cross-site scripting (XSS) loophole in the webmail server.
The exploited XSS flaw occurs in the shortcut functionality of the webmail system and enables attackers to introduce a shortcut with a constructed payload, substituting malicious JavaScript code for parts of the webmail system’s page.
In January 2020, Trend Micro announced that the XSS flaw was patched, ensuring only organisations that have not upgraded to the new version of the webmail server are now exposed.
If this approach fails, the attackers’ script reports malicious JavaScript code to the Service Worker server (a programmable network proxy within the browser) such that HTTPS requests can be intercepted and exploited, user credentials hacked, and malicious scripts applied to the webmail tab.
After executing an XSS injection or inserting javascript to the Service Worker to ensure that the malicious script is continuously loaded and executed, by building a WebSocket link to an injected JavaScript backdoor, the attackers continue to exfiltrate emails.
On the computer, the backdoor reads emails and transfers their content and attachments to the WebSocket server of the intruder.
Earth Wendigo also uses Python ransomware compiled as Windows executables, which were discovered to be shellcode loaders for code presumably from Cobalt Attack, in addition to attacking webmail servers.
Backdoors demanding additional Python code from the command and control (C&C) server are some of the Python examples. Trend Micro could not, however, decide the intent of the code fetched.
