JavaScript|Tetris-framework-modus-operandi
JavaScript|Tetris-framework-modus-operandi

Chinese espionage tool exploits vulnerabilities in 58 widely used websites

A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.

Fifty-seven of the sites are popular Chinese portals, while the last is the site for US newspaper, the New York Times.

In addition, the tool also abused legitimate browser features in attempts to collect user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target's face—although many of these capabilities weren't as silent as the exploits targeting third-party websites, since they also tended to trigger a browser notification prompt.

Tetris is a complex web-based spying tool

Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership.

"The sites both appear to be independent newsblogs," said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month.

"Both [sites] are focused on China, one site [is focused on China's] actions against Taiwan and Hong-Kong written in Chinese and still updated and the other about general atrocities done by the Chinese government, written in Swedish and last updated [in] 2016," the researcher said.

According to Imp0rtp3, users who landed on these two websites were first greeted by Jetriz, the first of Tetris' two components, which would gather and read basic information about a visitor's browser.

If the user had the browser set to use the Chinese language, the would-be victim would be redirected to the second Tetris component.

Named Swid, this component would load 15 different plugins (JavaScript files) inside the victim's browser in order to perform various actions.

Eight of the plugins would abuse a technique called JSON hijacking to open connections to popular websites and retrieve public data about the user on those sites.

While this technique didn't include passwords or authentication cookies, Imp0rtp3 said the attacker could collect information such as usernames, phone numbers, or real names, which could be sometimes used to link a visitor to one of their public personas.

2021-08-Tetris-framework-modus-operandi-1024x640.png

The behavior to scrape data from the 58 third-party websites was completely silent. However, if the attackers couldn't collect enough information to unmask a user, they also had additional plugins at their disposal that, while noisier, could be used as a last-ditch attempt to unmask users.

An inventory of all the Tetris Swid plugins is available below:

  • Eight plugins to collect data from remote websites via JSONP hijacking.
  • One plugin to collect geolocation data via the user's browser. A permission request would be shown to the user in this case, making the attack easy to spot.
  • One plugin to collect the user's internal network IP address via the WebRTC API.
  • One plugin to attempt to take a photo of the user via the local webcam. This plugin would also trigger a browser permission request.
  • One plugin to log the user's keystrokes on the watering hole domain (but not on third party sites).
  • One plugin to determine if the user is using Tor.
  • One plugin to connect to the user's system via a websocket and steal local secrets via this technique.
  • One plugin to collect extensive technical data about the user's system.

According to Imp0rtp3, data that the attackers could collect through Tetris from third-party websites included:

DomainAttributesGlobal Alexa RankChinese Rank
tmall.comisLogin31
qq.comuserId,nickName,headURL,userHome42
baidu.comuserId,userName53
sohu.comnickName,headURL,userHome,profile,userName64
taobao.comisLogin85
jd.comuserName,headURL107
weibo.comuserId148
tianya.cnuserName4217
aliexpress.comisLogin44
gome.com.cnuserId,nickName,headURL8926
163.comnickName,headURL9727
nytimes.comuid,subscriptions113
zol.com.cnuserId31050
iqiyi.comuserinfo,qiyi_vip_info39053
outbrain.comuserName419
58.comuserName,userId,phone46858
zhibo8.ccuserId,nickName,background,headURL48269
dianping.comuserId,nickName61993
renren.comuserId,nickName,userName,headURL,birth69694
youku.comuserId,userName,sex,headURL710104
dangdang.comddoy,loginTime799109
anjuke.comuserId,userName,lastUser,profileURL844119
smzdm.comuserId,nickName,headURL1489207
ifeng.comisLogin,isLogin1607218
7k7k.comuserId,userName,nickName,headURL,level1902216
zhaopin.comuserName2587289
4399.comisLogin,gameInfos2764254
ctrip.comuserName,level3185346
10086.cnuserName4047383
hupu.comuserId,userName4440543
vip.comlevel,lastLogin60741519
pconline.com.cnuserId,nickName7303773
xunlei.comnickName,payName,userName86802126
xcar.com.cnheadURL,userName,userName108681157
qunar.comisLogin111851708
pcauto.com.cnuserId114102117
jumei.comnickName,userId142641726
37.comuserName,lastLoginIP,lastLoginTime149051548
hexun.comuserId,userName,headURL,sex206532480
suning.comphone,headURL,level288832845
lu.comuserId,sex,realName,userName,mobile291842985
tiexue.netuserId,userName314303235
baihe.comuserId,nickName,gender,age,headURL,cityID36791
bbs.360safe.comuserName,userId,email,adminId,lastVisit,group39660
qyer.comusername,userid43347
56.comuserHome48982
zongheng.comlevel,headURL59346
ziroom.comuserName743643702
bitauto.comuserId,userName84849
chinaiiss.comuserName119808
2144.cnuserId,userName,nickName199953
yhd.comuserName,headURL343737
letv.comuserId671069
readnovel.comuserName,headURL1167917
duoshuo.comuserId,userName,userHome,headURL,social_uid,email
aliyun.comuserId
huihui.comuid,userName
daijun.comuserName

Tetris framework usage linked to a Chinese threat actor

But while analyzing the technical intricacies of cyber-espionage tools is all fine and dandy, knowing who uses these tools and against who is also of importance when it comes to warning and protecting their victims.

On this front, the researcher assessed with high confidence that the group using the framework was working on behalf of the Chinese government.

This assessment is backed by the threat actor's attempts to limit the attack to a very narrow category of users who use Chinese keyboards and are accustomed to reading news articles critical of the Chinese government—and most likely part of the Chinese opposition movement, activists, and dissidents.

The researcher also noted that the abuse of the JSONP hijacking technique to retrieve user details from third-party sites when a user visits a "watering hole" portal has also been seen before in 2015. During that campaign, a Chinese threat actor used what appears to be a simpler version of the Swid plugins against Chinese visitors of NGO, Uyghur, and Islamic websites.


While web-based attack tools like Tetris aren't a common sight in cybersecurity reports these days, as most threat actors like to rely on spear-phishing and malware, they are still useful for attackers as they can be used to identify possible targets of interest that can be arrested in the real world or targeted at a later day with malware.

Imp0rtp3 said that users who'd like to protect themselves against such tools are recommended to use the NoScript browser add-on or to visit sites using Incognito (Private Browsing) Mode.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.