Chinese espionage tool exploits vulnerabilities is 58 widely used websites

A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.

Fifty-seven of the sites are popular Chinese portals, while the last is the site for US newspaper, the New York Times.

In addition, the tool also abused legitimate browser features in attempts to collect user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target’s face—although many of these capabilities weren’t as silent as the exploits targeting third-party websites, since they also tended to trigger a browser notification prompt.

Tetris is a complex web-based spying tool

Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership.

“The sites both appear to be independent newsblogs,” said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month.

“Both [sites] are focused on China, one site [is focused on China’s] actions against Taiwan and Hong-Kong written in Chinese and still updated and the other about general atrocities done by the Chinese government, written in Swedish and last updated [in] 2016,” the researcher said.

According to Imp0rtp3, users who landed on these two websites were first greeted by Jetriz, the first of Tetris’ two components, which would gather and read basic information about a visitor’s browser.

If the user had the browser set to use the Chinese language, the would-be victim would be redirected to the second Tetris component.

Named Swid, this component would load 15 different plugins (JavaScript files) inside the victim’s browser in order to perform various actions.

Eight of the plugins would abuse a technique called JSON hijacking to open connections to popular websites and retrieve public data about the user on those sites.

While this technique didn’t include passwords or authentication cookies, Imp0rtp3 said the attacker could collect information such as usernames, phone numbers, or real names, which could be sometimes used to link a visitor to one of their public personas.

Image: Imp0rtp3

The behavior to scrape data from the 58 third-party websites was completely silent. However, if the attackers couldn’t collect enough information to unmask a user, they also had additional plugins at their disposal that, while noisier, could be used as a last-ditch attempt to unmask users.

An inventory of all the Tetris Swid plugins is available below:

  • Eight plugins to collect data from remote websites via JSONP hijacking.
  • One plugin to collect geolocation data via the user’s browser. A permission request would be shown to the user in this case, making the attack easy to spot.
  • One plugin to collect the user’s internal network IP address via the WebRTC API.
  • One plugin to attempt to take a photo of the user via the local webcam. This plugin would also trigger a browser permission request.
  • One plugin to log the user’s keystrokes on the watering hole domain (but not on third party sites).
  • One plugin to determine if the user is using Tor.
  • One plugin to connect to the user’s system via a websocket and steal local secrets via this technique.
  • One plugin to collect extensive technical data about the user’s system.

According to Imp0rtp3, data that the attackers could collect through Tetris from third-party websites included:

Domain Attributes Global Alexa Rank Chinese Rank isLogin 3 1 userId,nickName,headURL,userHome 4 2 userId,userName 5 3 nickName,headURL,userHome,profile,userName 6 4 isLogin 8 5 userName,headURL 10 7 userId 14 8 userName 42 17 isLogin 44 userId,nickName,headURL 89 26 nickName,headURL 97 27 uid,subscriptions 113 userId 310 50 userinfo,qiyi_vip_info 390 53 userName 419 userName,userId,phone 468 58 userId,nickName,background,headURL 482 69 userId,nickName 619 93 userId,nickName,userName,headURL,birth 696 94 userId,userName,sex,headURL 710 104 ddoy,loginTime 799 109 userId,userName,lastUser,profileURL 844 119 userId,nickName,headURL 1489 207 isLogin,isLogin 1607 218 userId,userName,nickName,headURL,level 1902 216 userName 2587 289 isLogin,gameInfos 2764 254 userName,level 3185 346 userName 4047 383 userId,userName 4440 543 level,lastLogin 6074 1519 userId,nickName 7303 773 nickName,payName,userName 8680 2126 headURL,userName,userName 10868 1157 isLogin 11185 1708 userId 11410 2117 nickName,userId 14264 1726 userName,lastLoginIP,lastLoginTime 14905 1548 userId,userName,headURL,sex 20653 2480 phone,headURL,level 28883 2845 userId,sex,realName,userName,mobile 29184 2985 userId,userName 31430 3235 userId,nickName,gender,age,headURL,cityID 36791 userName,userId,email,adminId,lastVisit,group 39660 username,userid 43347 userHome 48982 level,headURL 59346 userName 74364 3702 userId,userName 84849 userName 119808 userId,userName,nickName 199953 userName,headURL 343737 userId 671069 userName,headURL 1167917 userId,userName,userHome,headURL,social_uid,email userId uid,userName userName

Tetris framework usage linked to a Chinese threat actor

But while analyzing the technical intricacies of cyber-espionage tools is all fine and dandy, knowing who uses these tools and against who is also of importance when it comes to warning and protecting their victims.

On this front, the researcher assessed with high confidence that the group using the framework was working on behalf of the Chinese government.

This assessment is backed by the threat actor’s attempts to limit the attack to a very narrow category of users who use Chinese keyboards and are accustomed to reading news articles critical of the Chinese government—and most likely part of the Chinese opposition movement, activists, and dissidents.

The researcher also noted that the abuse of the JSONP hijacking technique to retrieve user details from third-party sites when a user visits a “watering hole” portal has also been seen before in 2015. During that campaign, a Chinese threat actor used what appears to be a simpler version of the Swid plugins against Chinese visitors of NGO, Uyghur, and Islamic websites.

While web-based attack tools like Tetris aren’t a common sight in cybersecurity reports these days, as most threat actors like to rely on spear-phishing and malware, they are still useful for attackers as they can be used to identify possible targets of interest that can be arrested in the real world or targeted at a later day with malware.

Imp0rtp3 said that users who’d like to protect themselves against such tools are recommended to use the NoScript browser add-on or to visit sites using Incognito (Private Browsing) Mode.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Source: Recorded Future

Leave a Reply