Further investigation revealed that the threat actor has also targeted specific individuals with spear-phishing emails in a separate attack campaign. Targeted individuals include politicians and activists who support movements in Tibet, Hong Kong or the Uyghur region.
Behavior and Objectives of the attack:
The scripts are designed to perform malicious actions such as stealing browser cookies and webmail session keys and sending them to the remote server. The malicious scripts are also appended to the victim’s email signature to propagate the infection to their contacts.
The malicious code also contains a cookie stealer script that generates a request to “/cgi-bin/start,” which is a wrapper page embedded within the webmail session key. The script then extracts the session key and browser cookies. The image below shows the malicious script to steal the browser cookie and session key.
Earth Wendigo was also found to be using multiple malware variants written in python. The variants are communicating to the same domain used in the Wendigo attack. Most of the variants are shellcode loaders from the Cobalt strike group. However, it is unclear what additional code they delivered on the victim’s system from the attacker’s C&C server.
XSS attacks like the one carried out by Earth Wendigo can be avoided by adopting security measures such as:
- Enabling a Content Security Policy in your security product to prevent cross-site scripting, clickjacking, and other code injection attacks.
- Using HTTP Public Key Pinning to prevent attackers from using mis-issued or otherwise fraudulent digital certificates.
Indicators of Compromise(IOCs)
|mail2000tw[.]com||Domain operated by Earth Wendigo|
|bf[.]mail2000tw[.]com||Domain operated by Earth Wendigo|
|admin[.]mail2000tw[.]com||Domain operated by Earth Wendigo|
|googletwtw[.]com||Domain operated by Earth Wendigo|
|bf[.]googletwtw[.]com||Domain operated by Earth Wendigo|
|ws[.]googletwtw[.]com||Domain operated by Earth Wendigo|
|admin[.]googletwtw[.]com||Domain operated by Earth Wendigo|
|anybodyopenfind[.]com||Domain operated by Earth Wendigo|
|support[.]anybodyopenfind[.]com||Domain operated by Earth Wendigo|
|supports[.]anybodyopenfind[.]com||Domain operated by Earth Wendigo|
|supportss[.]anybodyopenfind[.]com||Domain operated by Earth Wendigo|
|a61e84ac9b9d3009415c7982887dd7834ba2e7c8ea9098f33280d82b9a81f923||Earth Wendigo XSS attack script|
|66cf12bb9b013c30f9db6484caa5d5d0a94683887cded2758886aae1cb5c1c65||Earth Wendigo XSS attack script|
|4cdaca6b01f52092a1dd30fc68ee8f6d679ea6f7a21974e4a3eb8d14be6f5d74||Earth Wendigo XSS attack script|
|f50a589f3b3ebcc326bab55d1ef271dcec372c25d65f381a409ea85929a34b49||Earth Wendigo XSS attack script|
|e047aa878f9e7a55a80cc1b70d0ac9840251691e91ab6454562afbff427b0879||Earth Wendigo XSS attack script|
|a1a6dc2a6c795fc315085d00aa7fdabd1f043b28c68d4f98d4152fe539f026f1||Earth Wendigo XSS attack script|
|10d2158828b953ff1140376ceb79182486525fd14b98f743dafa317110c1b289||Earth Wendigo XSS attack script|
|0e04a03afa5b66014457136fb4d437d51da9067dc88452f9ebd098d10c97c5b8||Earth Wendigo XSS attack script|
|75f3f724a2bfda1e74e0de36ff6a12d3f2ea599a594845d7e6bc7c76429e0fa4||Earth Wendigo XSS attack script|
|c3bc364409bb0c4453f6d80351477ff8a13a1acdc5735a9dff4ea4b3f5ad201c||Earth Wendigo XSS attack script|
|5251087bb2a0c87ac60c13f2edb7c39fb1ea26984fcc07e4cf8b39db31ce2b08||Earth Wendigo XSS attack script|
|7fa9a58163dd233065a86f9ed6857ed698fc6e454e6b428ea93f4f711279fb61||Earth Wendigo XSS attack script|
|f568f823959be80a707e05791718c1c3c377da1b0db1865821c1cf7bc53b6084||Earth Wendigo XSS attack script|
|a54d58d5a5812abaede3e2012ae757d378fb51c7d3974eaa3a3f34511161c1db||Earth Wendigo XSS attack script|
|77c3d62cce21c2c348f825948042f7d36999e3be80db32ac98950e88db4140b1||Earth Wendigo XSS attack script|
|c0dabb52c73173ea0b597ae4ad90d67c23c85110b06aa3c9e110a852ebe04420||Earth Wendigo Service Worker script|
|2411b7b9ada83f6586278e0ad36b42a98513c9047a272a5dcb4a2754ba8e6f1d||Earth Wendigo Shellcode Loader|
|1de54855b15fc55b4a865723224119029e51b381a11fda5d05159c74f50cb7de||Earth Wendigo Shellcode Loader|
|d935c9fe8e229f1dabcc0ceb02a9ce7130ae313dd18de0b1aca69741321a7d1b||Earth Wendigo Shellcode Loader|
|50f23b6f4dff77ce4101242ebc3f12ea40156a409a7417ecf6564af344747b76||Earth Wendigo Shellcode Loader|
|fab0c4e0992afe35c5e99bf9286db94313ffedc77d138e96af940423b2ca1cf2||Earth Wendigo Shellcode Loader|
|4d9c63127befad0b65078ccd821a9cd6c1dccec3e204a253751e7213a2d39e39||Earth Wendigo Shellcode Loader|
|25258044c838c6fc14a447573a4a94662170a7b83f08a8d76f96fbbec3ab08e2||Earth Wendigo Shellcode Loader|
|13952e13d310fb5102fd4a90e4eafe6291bc97e09eba50fedbc2f8900c80165f||Earth Wendigo Shellcode Loader|
|ccb7be5a5a73104106c669d7c58b13a55eb9db3b3b5a6d3097ac8b68f2555d39||Earth Wendigo Shellcode Loader|
|40a251184bb680edadfa9778a37135227e4191163882ccf170835e0658b1e0ed||Earth Wendigo Shellcode Loader|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.