Earth Wendigo Hackers Exploit Emails Through Javascript Backdoor

A newly discovered malware was found to be exfiltrating emails from several organizations, including government organizations, research institutions, and universities in Taiwan. The attackers carried out this operation by injecting a Javascript Backdoor to a popularly used webmail system in Taiwan. The threat actor has no connection with any of the already prevailing attack groups. The attack flow of Earth Wendigo is represented in the image below. 

Further investigation revealed that the threat actor has also targeted specific individuals with spear-phishing emails in a separate attack campaign. Targeted individuals include politicians and activists who support movements in Tibet, Hong Kong or the Uyghur region. 

Initial Access: 

The threat actor follows a series of sophisticated steps to carry out the attack. Firstly, a spear-phishing email appended with obfuscated Javascript code is sent to the target individual. As soon as the victim reads the mail, the Javascript code contacts a remote server and loads malicious scripts into the target system. 

Behavior and Objectives of the attack: 

The scripts are designed to perform malicious actions such as stealing browser cookies and webmail session keys and sending them to the remote server. The malicious scripts are also appended to the victim’s email signature to propagate the infection to their contacts. 

The threat actors are exploiting the cross-site scripting (XSS) vulnerability of the webmail system to allow their malicious JavaScript to be injected on the webmail page permanently. The vulnerability in the Webmail system has already been fixed in January 2020. Therefore, this should not affect those using the latest version of the webmail system. 

In case the attackers are unable to inject the XSS vulnerability, they use a web browser feature that allows the Javascript to intercept and manipulate the HTTPS request between the client and the server by registering their malicious Javascript to Service Worker. This Service Worker script can then expropriate login credentials. 

The malicious code also contains a cookie stealer script that generates a request to “/cgi-bin/start,” which is a wrapper page embedded within the webmail session key. The script then extracts the session key and browser cookies. The image below shows the malicious script to steal the browser cookie and session key. 

On successfully carrying out the attack, the backdoor can read emails on the server and send their content and attachments to the attacker’s WebSocket server. The backdoor also infects other individuals by appending the malicious Javascript to the emails sent by the victim to his contacts using the same webmail system. 

Earth Wendigo was also found to be using multiple malware variants written in python. The variants are communicating to the same domain used in the Wendigo attack. Most of the variants are shellcode loaders from the Cobalt strike group. However, it is unclear what additional code they delivered on the victim’s system from the attacker’s C&C server. 

XSS attacks like the one carried out by Earth Wendigo can be avoided by adopting security measures such as: 

  • Enabling a Content Security Policy in your security product to prevent cross-site scripting, clickjacking, and other code injection attacks. 
  • Using HTTP Public Key Pinning to prevent attackers from using mis-issued or otherwise fraudulent digital certificates. 

Indicators of Compromise(IOCs) 

Indicator Description 
mail2000tw[.]com Domain operated by Earth Wendigo 
bf[.]mail2000tw[.]com Domain operated by Earth Wendigo 
admin[.]mail2000tw[.]com Domain operated by Earth Wendigo 
googletwtw[.]com Domain operated by Earth Wendigo 
bf[.]googletwtw[.]com Domain operated by Earth Wendigo 
ws[.]googletwtw[.]com Domain operated by Earth Wendigo 
admin[.]googletwtw[.]com Domain operated by Earth Wendigo 
anybodyopenfind[.]com Domain operated by Earth Wendigo 
support[.]anybodyopenfind[.]com Domain operated by Earth Wendigo 
supports[.]anybodyopenfind[.]com Domain operated by Earth Wendigo 
supportss[.]anybodyopenfind[.]com Domain operated by Earth Wendigo 
a61e84ac9b9d3009415c7982887dd7834ba2e7c8ea9098f33280d82b9a81f923 Earth Wendigo XSS attack script 
66cf12bb9b013c30f9db6484caa5d5d0a94683887cded2758886aae1cb5c1c65 Earth Wendigo XSS attack script 
4cdaca6b01f52092a1dd30fc68ee8f6d679ea6f7a21974e4a3eb8d14be6f5d74 Earth Wendigo XSS attack script 
f50a589f3b3ebcc326bab55d1ef271dcec372c25d65f381a409ea85929a34b49 Earth Wendigo XSS attack script 
e047aa878f9e7a55a80cc1b70d0ac9840251691e91ab6454562afbff427b0879 Earth Wendigo XSS attack script  
a1a6dc2a6c795fc315085d00aa7fdabd1f043b28c68d4f98d4152fe539f026f1 Earth Wendigo XSS attack script 
10d2158828b953ff1140376ceb79182486525fd14b98f743dafa317110c1b289 Earth Wendigo XSS attack script 
0e04a03afa5b66014457136fb4d437d51da9067dc88452f9ebd098d10c97c5b8 Earth Wendigo XSS attack script 
75f3f724a2bfda1e74e0de36ff6a12d3f2ea599a594845d7e6bc7c76429e0fa4 Earth Wendigo XSS attack script 
c3bc364409bb0c4453f6d80351477ff8a13a1acdc5735a9dff4ea4b3f5ad201c Earth Wendigo XSS attack script 
5251087bb2a0c87ac60c13f2edb7c39fb1ea26984fcc07e4cf8b39db31ce2b08 Earth Wendigo XSS attack script 
7fa9a58163dd233065a86f9ed6857ed698fc6e454e6b428ea93f4f711279fb61 Earth Wendigo XSS attack script 
f568f823959be80a707e05791718c1c3c377da1b0db1865821c1cf7bc53b6084 Earth Wendigo XSS attack script 
a54d58d5a5812abaede3e2012ae757d378fb51c7d3974eaa3a3f34511161c1db Earth Wendigo XSS attack script 
77c3d62cce21c2c348f825948042f7d36999e3be80db32ac98950e88db4140b1 Earth Wendigo XSS attack script 
c0dabb52c73173ea0b597ae4ad90d67c23c85110b06aa3c9e110a852ebe04420 Earth Wendigo Service Worker script 
efe541889f3da7672398d7ad00b8243e94d13cc3254ed59cd547ad172c1aa4be Earth Wendigo WebSocket JavaScript backdoor 
2411b7b9ada83f6586278e0ad36b42a98513c9047a272a5dcb4a2754ba8e6f1d Earth Wendigo Shellcode Loader 
1de54855b15fc55b4a865723224119029e51b381a11fda5d05159c74f50cb7de Earth Wendigo Shellcode Loader 
d935c9fe8e229f1dabcc0ceb02a9ce7130ae313dd18de0b1aca69741321a7d1b Earth Wendigo Shellcode Loader 
50f23b6f4dff77ce4101242ebc3f12ea40156a409a7417ecf6564af344747b76 Earth Wendigo Shellcode Loader 
fab0c4e0992afe35c5e99bf9286db94313ffedc77d138e96af940423b2ca1cf2 Earth Wendigo Shellcode Loader 
4d9c63127befad0b65078ccd821a9cd6c1dccec3e204a253751e7213a2d39e39 Earth Wendigo Shellcode Loader 
25258044c838c6fc14a447573a4a94662170a7b83f08a8d76f96fbbec3ab08e2 Earth Wendigo Shellcode Loader 
13952e13d310fb5102fd4a90e4eafe6291bc97e09eba50fedbc2f8900c80165f Earth Wendigo Shellcode Loader 
ccb7be5a5a73104106c669d7c58b13a55eb9db3b3b5a6d3097ac8b68f2555d39 Earth Wendigo Shellcode Loader 
40a251184bb680edadfa9778a37135227e4191163882ccf170835e0658b1e0ed Earth Wendigo Shellcode Loader 
0d6c3cc46be2c2c951c24c695558be1e2338635176fa34e8b36b3e751ccdb0de Cobalt Strike 


About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Scroll to Top