Chinese espionage tool exploits vulnerabilities is 58 widely used websites

A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.

Fifty-seven of the sites are popular Chinese portals, while the last is the site for US newspaper, the New York Times.

In addition, the tool also abused legitimate browser features in attempts to collect user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target’s face—although many of these capabilities weren’t as silent as the exploits targeting third-party websites, since they also tended to trigger a browser notification prompt.

Tetris is a complex web-based spying tool

Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership.

“The sites both appear to be independent newsblogs,” said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month.

“Both [sites] are focused on China, one site [is focused on China’s] actions against Taiwan and Hong-Kong written in Chinese and still updated and the other about general atrocities done by the Chinese government, written in Swedish and last updated [in] 2016,” the researcher said.

According to Imp0rtp3, users who landed on these two websites were first greeted by Jetriz, the first of Tetris’ two components, which would gather and read basic information about a visitor’s browser.

If the user had the browser set to use the Chinese language, the would-be victim would be redirected to the second Tetris component.

Named Swid, this component would load 15 different plugins (JavaScript files) inside the victim’s browser in order to perform various actions.

Eight of the plugins would abuse a technique called JSON hijacking to open connections to popular websites and retrieve public data about the user on those sites.

While this technique didn’t include passwords or authentication cookies, Imp0rtp3 said the attacker could collect information such as usernames, phone numbers, or real names, which could be sometimes used to link a visitor to one of their public personas.

Tetris-framework-modus-operandi
Image: Imp0rtp3

The behavior to scrape data from the 58 third-party websites was completely silent. However, if the attackers couldn’t collect enough information to unmask a user, they also had additional plugins at their disposal that, while noisier, could be used as a last-ditch attempt to unmask users.

An inventory of all the Tetris Swid plugins is available below:

  • Eight plugins to collect data from remote websites via JSONP hijacking.
  • One plugin to collect geolocation data via the user’s browser. A permission request would be shown to the user in this case, making the attack easy to spot.
  • One plugin to collect the user’s internal network IP address via the WebRTC API.
  • One plugin to attempt to take a photo of the user via the local webcam. This plugin would also trigger a browser permission request.
  • One plugin to log the user’s keystrokes on the watering hole domain (but not on third party sites).
  • One plugin to determine if the user is using Tor.
  • One plugin to connect to the user’s system via a websocket and steal local secrets via this technique.
  • One plugin to collect extensive technical data about the user’s system.

According to Imp0rtp3, data that the attackers could collect through Tetris from third-party websites included:

Domain Attributes Global Alexa Rank Chinese Rank
tmall.com isLogin 3 1
qq.com userId,nickName,headURL,userHome 4 2
baidu.com userId,userName 5 3
sohu.com nickName,headURL,userHome,profile,userName 6 4
taobao.com isLogin 8 5
jd.com userName,headURL 10 7
weibo.com userId 14 8
tianya.cn userName 42 17
aliexpress.com isLogin 44
gome.com.cn userId,nickName,headURL 89 26
163.com nickName,headURL 97 27
nytimes.com uid,subscriptions 113
zol.com.cn userId 310 50
iqiyi.com userinfo,qiyi_vip_info 390 53
outbrain.com userName 419
58.com userName,userId,phone 468 58
zhibo8.cc userId,nickName,background,headURL 482 69
dianping.com userId,nickName 619 93
renren.com userId,nickName,userName,headURL,birth 696 94
youku.com userId,userName,sex,headURL 710 104
dangdang.com ddoy,loginTime 799 109
anjuke.com userId,userName,lastUser,profileURL 844 119
smzdm.com userId,nickName,headURL 1489 207
ifeng.com isLogin,isLogin 1607 218
7k7k.com userId,userName,nickName,headURL,level 1902 216
zhaopin.com userName 2587 289
4399.com isLogin,gameInfos 2764 254
ctrip.com userName,level 3185 346
10086.cn userName 4047 383
hupu.com userId,userName 4440 543
vip.com level,lastLogin 6074 1519
pconline.com.cn userId,nickName 7303 773
xunlei.com nickName,payName,userName 8680 2126
xcar.com.cn headURL,userName,userName 10868 1157
qunar.com isLogin 11185 1708
pcauto.com.cn userId 11410 2117
jumei.com nickName,userId 14264 1726
37.com userName,lastLoginIP,lastLoginTime 14905 1548
hexun.com userId,userName,headURL,sex 20653 2480
suning.com phone,headURL,level 28883 2845
lu.com userId,sex,realName,userName,mobile 29184 2985
tiexue.net userId,userName 31430 3235
baihe.com userId,nickName,gender,age,headURL,cityID 36791
bbs.360safe.com userName,userId,email,adminId,lastVisit,group 39660
qyer.com username,userid 43347
56.com userHome 48982
zongheng.com level,headURL 59346
ziroom.com userName 74364 3702
bitauto.com userId,userName 84849
chinaiiss.com userName 119808
2144.cn userId,userName,nickName 199953
yhd.com userName,headURL 343737
letv.com userId 671069
readnovel.com userName,headURL 1167917
duoshuo.com userId,userName,userHome,headURL,social_uid,email
aliyun.com userId
huihui.com uid,userName
daijun.com userName

Tetris framework usage linked to a Chinese threat actor

But while analyzing the technical intricacies of cyber-espionage tools is all fine and dandy, knowing who uses these tools and against who is also of importance when it comes to warning and protecting their victims.

On this front, the researcher assessed with high confidence that the group using the framework was working on behalf of the Chinese government.

This assessment is backed by the threat actor’s attempts to limit the attack to a very narrow category of users who use Chinese keyboards and are accustomed to reading news articles critical of the Chinese government—and most likely part of the Chinese opposition movement, activists, and dissidents.

The researcher also noted that the abuse of the JSONP hijacking technique to retrieve user details from third-party sites when a user visits a “watering hole” portal has also been seen before in 2015. During that campaign, a Chinese threat actor used what appears to be a simpler version of the Swid plugins against Chinese visitors of NGO, Uyghur, and Islamic websites.


While web-based attack tools like Tetris aren’t a common sight in cybersecurity reports these days, as most threat actors like to rely on spear-phishing and malware, they are still useful for attackers as they can be used to identify possible targets of interest that can be arrested in the real world or targeted at a later day with malware.

Imp0rtp3 said that users who’d like to protect themselves against such tools are recommended to use the NoScript browser add-on or to visit sites using Incognito (Private Browsing) Mode.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.


Source: Recorded Future

Leave a Reply