Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.”
Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro.
The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.
